diff --git a/.github/workflows/app-ci-cd.yml b/.github/workflows/app-ci-cd.yml index 6ed9ebc..6224c12 100644 --- a/.github/workflows/app-ci-cd.yml +++ b/.github/workflows/app-ci-cd.yml @@ -5,14 +5,17 @@ on: branches: [ '*' ] paths: - 'app/**' + - '!app/tf/**' - 'deploy/**' - '.github/workflows/app-ci-cd.yml' pull_request: branches: ["main"] paths: - 'app/**' + - '!app/tf/**' - 'deploy/**' - '.github/workflows/app-ci-cd.yml' + env: AWS_REGION: us-east-2 # set this to your preferred AWS region, e.g. us-west-1 ECR_REPOSITORY: app-6 @@ -45,7 +48,7 @@ jobs: - name: Configure AWS Credentials Action For GitHub Actions uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ secrets.IAM_ROLE }} + role-to-assume: ${{ secrets.CENTRAL_ACCOUNT_IAM_ROLE }} role-session-name: AWSSession aws-region: ${{ env.AWS_REGION }} # https://github.com/marketplace/actions/amazon-ecr-login-action-for-github-actions @@ -92,151 +95,152 @@ jobs: run: echo "IMAGE_ID=$REGISTRY/$REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT outputs: image-id: ${{ steps.create-output.outputs.IMAGE_ID }} - deploy: - needs: build - name: 'continuous-deployment' - runs-on: ubuntu-latest - environment: development - env: - IMAGE_ID: ${{ needs.build.outputs.image-id }} - permissions: - contents: read - id-token: write - pull-requests: write - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest - defaults: - run: - shell: bash - working-directory: ./deploy - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - name: Print Image Tag - run: echo "Tag Name for the Image ${{ env.IMAGE_ID }}" - - name: Configure AWS Credentials Action For GitHub Actions - uses: aws-actions/configure-aws-credentials@v1-node16 - with: - role-to-assume: ${{ secrets.IAM_ROLE }} - role-session-name: AWSSession - aws-region: ${{ env.AWS_REGION }} - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 - - - name: Setup Infracost - uses: infracost/actions/setup@v2 - # See https://github.com/infracost/actions/tree/master/setup for other inputs - # If you can't use this action, see Docker images in https://infracost.io/cicd - with: - api-key: ${{ secrets.INFRACOST_API_KEY }} - if: github.event_name == 'pull_request' + # deploy: + # needs: build + # name: 'continuous-deployment' + # runs-on: ubuntu-latest + # environment: development + # env: + # IMAGE_ID: ${{ needs.build.outputs.image-id }} + # permissions: + # contents: read + # id-token: write + # pull-requests: write + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest + # defaults: + # run: + # shell: bash + # working-directory: ./deploy + # steps: + # # Checkout the repository to the GitHub Actions runner + # - name: Checkout + # uses: actions/checkout@v3 + # - name: Print Image Tag + # run: echo "Tag Name for the Image ${{ env.IMAGE_ID }}" + # - name: Configure AWS Credentials Action For GitHub Actions + # uses: aws-actions/configure-aws-credentials@v1-node16 + # with: + # role-to-assume: ${{ secrets.IAM_ROLE }} + # role-session-name: AWSSession + # aws-region: ${{ env.AWS_REGION }} - # Checkout the base branch of the pull request (e.g. main/master). - - name: Checkout base branch - if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} - uses: actions/checkout@v3 - with: - ref: '${{ github.event.pull_request.base.ref }}' + # # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + # - name: Setup Terraform + # uses: hashicorp/setup-terraform@v1 + + # - name: Setup Infracost + # uses: infracost/actions/setup@v2 + # # See https://github.com/infracost/actions/tree/master/setup for other inputs + # # If you can't use this action, see Docker images in https://infracost.io/cicd + # with: + # api-key: ${{ secrets.INFRACOST_API_KEY }} + # if: github.event_name == 'pull_request' + + # # Checkout the base branch of the pull request (e.g. main/master). + # - name: Checkout base branch + # if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + # uses: actions/checkout@v3 + # with: + # ref: '${{ github.event.pull_request.base.ref }}' - # Generate Infracost JSON file as the baseline. - - name: Generate Infracost cost estimate baseline - if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} - run: | - infracost breakdown --path=. \ - --format=json \ - --out-file=/tmp/infracost-base.json - - # Checkout the current PR branch so we can create a diff. - - name: Checkout PR branch - if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} - uses: actions/checkout@v3 + # # Generate Infracost JSON file as the baseline. + # - name: Generate Infracost cost estimate baseline + # if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + # run: | + # infracost breakdown --path=. \ + # --format=json \ + # --out-file=/tmp/infracost-base.json - # Generate an Infracost diff and save it to a JSON file. - - name: Generate Infracost diff - if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} - run: | - infracost diff --path=. \ - --format=json \ - --compare-to=/tmp/infracost-base.json \ - --out-file=/tmp/infracost.json - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - id: init - run: terraform init - - # Checks that all Terraform configuration files adhere to a canonical format - - name: Terraform Format - id: fmt - run: terraform fmt -check - # Checks that all Terraform configuration files are correctly written - - name: Terraform Validate - id: validate - run: terraform validate -no-color - # Generates an execution plan for Terraform - - name: Terraform Plan - id: plan - if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request' - run: | - terraform plan -no-color -input=false \ - -var="image_tag=${{ env.IMAGE_ID }}" \ - -out=TFplan.JSON - continue-on-error: true - - # Generate an Infracost diff and save it to a JSON file. - - name: Generate Infracost diff - if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }} - run: | - infracost diff --path=TFplan.JSON \ - --format=json \ - --out-file=/tmp/infracost.json - - - name: Post Infracost estimate - if: github.event_name == 'pull_request' - run: | - infracost comment github --path=/tmp/infracost.json \ - --repo=$GITHUB_REPOSITORY \ - --github-token=${{github.token}} \ - --pull-request=${{github.event.pull_request.number}} \ - --show-skipped \ - --behavior=update - - - name: Post Terraform Plan output - uses: actions/github-script@v6 - if: github.event_name == 'pull_request' - env: - PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` - #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` - #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` - #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` - -
Show Plan - - \`\`\`\n - ${process.env.PLAN} - \`\`\` - -
- - *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) - - # On push to "main", build or change infrastructure according to Terraform configuration files - # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - - name: Terraform Apply - if: github.ref == 'refs/heads/main' - run: | - terraform apply -auto-approve -input=false \ - -var="image_tag=${{ env.IMAGE_ID }}" + # # Checkout the current PR branch so we can create a diff. + # - name: Checkout PR branch + # if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + # uses: actions/checkout@v3 + + # # Generate an Infracost diff and save it to a JSON file. + # - name: Generate Infracost diff + # if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + # run: | + # infracost diff --path=. \ + # --format=json \ + # --compare-to=/tmp/infracost-base.json \ + # --out-file=/tmp/infracost.json + + # # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + # - name: Terraform Init + # id: init + # run: terraform init + + # # Checks that all Terraform configuration files adhere to a canonical format + # - name: Terraform Format + # id: fmt + # run: terraform fmt -check + # # Checks that all Terraform configuration files are correctly written + # - name: Terraform Validate + # id: validate + # run: terraform validate -no-color + # # Generates an execution plan for Terraform + # - name: Terraform Plan + # id: plan + # if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request' + # run: | + # terraform plan -no-color -input=false \ + # -var="image_tag=${{ env.IMAGE_ID }}" \ + # -out=TFplan.JSON + # continue-on-error: true + + # # Generate an Infracost diff and save it to a JSON file. + # - name: Generate Infracost diff + # if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }} + # run: | + # infracost diff --path=TFplan.JSON \ + # --format=json \ + # --out-file=/tmp/infracost.json + + # - name: Post Infracost estimate + # if: github.event_name == 'pull_request' + # run: | + # infracost comment github --path=/tmp/infracost.json \ + # --repo=$GITHUB_REPOSITORY \ + # --github-token=${{github.token}} \ + # --pull-request=${{github.event.pull_request.number}} \ + # --show-skipped \ + # --behavior=update + + # - name: Post Terraform Plan output + # uses: actions/github-script@v6 + # if: github.event_name == 'pull_request' + # env: + # PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" + # with: + # github-token: ${{ secrets.GITHUB_TOKEN }} + # script: | + # const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` + # #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` + # #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` + # #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` + + #
Show Plan + + # \`\`\`\n + # ${process.env.PLAN} + # \`\`\` + + #
+ + # *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; + + # github.rest.issues.createComment({ + # issue_number: context.issue.number, + # owner: context.repo.owner, + # repo: context.repo.repo, + # body: output + # }) + + # # On push to "main", build or change infrastructure according to Terraform configuration files + # # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks + # - name: Terraform Apply + # if: github.ref == 'refs/heads/main' + # run: | + # terraform apply -auto-approve -input=false \ + # -var="image_tag=${{ env.IMAGE_ID }}" \ No newline at end of file diff --git a/.github/workflows/terraform-ecr.yml b/.github/workflows/terraform-ecr.yml new file mode 100644 index 0000000..fa199ea --- /dev/null +++ b/.github/workflows/terraform-ecr.yml @@ -0,0 +1,166 @@ +name: terraform-ecr-provisioning + +on: + workflow_dispatch: + push: + branches: [ '*' ] + paths: + - 'app/tf/**' + - '.github/workflows/terraform-ecr.yml' + pull_request: + branches: ["main"] + paths: + - 'app/tf/**' + - '.github/workflows/terraform-ecr.yml' +env: + AWS_REGION: us-east-2 # set this to your preferred AWS region, e.g. us-west-1 +permissions: read-all +#-------------------------- +# +# PLEASE READ: Add a GitHub Actions variable 'INFRACOST_SCAN_TYPE' and set the value to either 'hcl_code' or 'tf_plan' depending on what type of Infracost scan desired. +# +#-------------------------- +jobs: + terraform: + name: 'continuous-integration' + runs-on: ubuntu-latest + environment: development + permissions: + contents: read + id-token: write + pull-requests: write + # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest + defaults: + run: + shell: bash + working-directory: ./app/tf + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + - name: Configure AWS Credentials Action For GitHub Actions + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + role-to-assume: ${{ secrets.CENTRAL_ACCOUNT_IAM_ROLE }} + role-session-name: AWSSession + aws-region: ${{ env.AWS_REGION }} + + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + + - name: Setup Infracost + uses: infracost/actions/setup@v2 + # See https://github.com/infracost/actions/tree/master/setup for other inputs + # If you can't use this action, see Docker images in https://infracost.io/cicd + with: + api-key: ${{ secrets.INFRACOST_API_KEY }} + if: github.event_name == 'pull_request' + + # Checkout the base branch of the pull request (e.g. main/master). + - name: Checkout base branch + if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + uses: actions/checkout@v3 + with: + ref: '${{ github.event.pull_request.base.ref }}' + + # Generate Infracost JSON file as the baseline. + - name: Generate Infracost cost estimate baseline + if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + run: | + infracost breakdown --path=. \ + --format=json \ + --out-file=/tmp/infracost-base.json + + # Checkout the current PR branch so we can create a diff. + - name: Checkout PR branch + if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + uses: actions/checkout@v3 + + # Generate an Infracost diff and save it to a JSON file. + - name: Generate Infracost diff + if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + run: | + infracost diff --path=. \ + --format=json \ + --compare-to=/tmp/infracost-base.json \ + --out-file=/tmp/infracost.json + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + id: init + run: terraform init + + # Checks that all Terraform configuration files adhere to a canonical format + - name: Terraform Format + id: fmt + run: terraform fmt -check + # Checks that all Terraform configuration files are correctly written + - name: Terraform Validate + id: validate + run: terraform validate -no-color + # Generates an execution plan for Terraform + - name: Terraform Plan + id: plan + if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request' + run: | + terraform plan -no-color -input=false \ + -out=TFplan.JSON + continue-on-error: true + + # Generate an Infracost diff and save it to a JSON file. + - name: Generate Infracost diff + if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }} + run: | + infracost diff --path=TFplan.JSON \ + --format=json \ + --out-file=/tmp/infracost.json + + - name: Post Infracost estimate + if: github.event_name == 'pull_request' + run: | + infracost comment github --path=/tmp/infracost.json \ + --repo=$GITHUB_REPOSITORY \ + --github-token=${{github.token}} \ + --pull-request=${{github.event.pull_request.number}} \ + --show-skipped \ + --behavior=update + + - name: Post Terraform Plan output + uses: actions/github-script@v6 + if: github.event_name == 'pull_request' + env: + PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` + #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` + #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` + #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` + +
Show Plan + + \`\`\`\n + ${process.env.PLAN} + \`\`\` + +
+ + *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + + # On push to "main", build or change infrastructure according to Terraform configuration files + # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks + - name: Terraform Apply + if: github.ref == 'refs/heads/main' + run: | + terraform apply -auto-approve -input=false \ No newline at end of file