diff --git a/.github/workflows/app-ci-cd.yml b/.github/workflows/app-ci-cd.yml
index 6ed9ebc..6224c12 100644
--- a/.github/workflows/app-ci-cd.yml
+++ b/.github/workflows/app-ci-cd.yml
@@ -5,14 +5,17 @@ on:
branches: [ '*' ]
paths:
- 'app/**'
+ - '!app/tf/**'
- 'deploy/**'
- '.github/workflows/app-ci-cd.yml'
pull_request:
branches: ["main"]
paths:
- 'app/**'
+ - '!app/tf/**'
- 'deploy/**'
- '.github/workflows/app-ci-cd.yml'
+
env:
AWS_REGION: us-east-2 # set this to your preferred AWS region, e.g. us-west-1
ECR_REPOSITORY: app-6
@@ -45,7 +48,7 @@ jobs:
- name: Configure AWS Credentials Action For GitHub Actions
uses: aws-actions/configure-aws-credentials@v4
with:
- role-to-assume: ${{ secrets.IAM_ROLE }}
+ role-to-assume: ${{ secrets.CENTRAL_ACCOUNT_IAM_ROLE }}
role-session-name: AWSSession
aws-region: ${{ env.AWS_REGION }}
# https://github.com/marketplace/actions/amazon-ecr-login-action-for-github-actions
@@ -92,151 +95,152 @@ jobs:
run: echo "IMAGE_ID=$REGISTRY/$REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
outputs:
image-id: ${{ steps.create-output.outputs.IMAGE_ID }}
- deploy:
- needs: build
- name: 'continuous-deployment'
- runs-on: ubuntu-latest
- environment: development
- env:
- IMAGE_ID: ${{ needs.build.outputs.image-id }}
- permissions:
- contents: read
- id-token: write
- pull-requests: write
- security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
- defaults:
- run:
- shell: bash
- working-directory: ./deploy
- steps:
- # Checkout the repository to the GitHub Actions runner
- - name: Checkout
- uses: actions/checkout@v3
- - name: Print Image Tag
- run: echo "Tag Name for the Image ${{ env.IMAGE_ID }}"
- - name: Configure AWS Credentials Action For GitHub Actions
- uses: aws-actions/configure-aws-credentials@v1-node16
- with:
- role-to-assume: ${{ secrets.IAM_ROLE }}
- role-session-name: AWSSession
- aws-region: ${{ env.AWS_REGION }}
- # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- - name: Setup Terraform
- uses: hashicorp/setup-terraform@v1
-
- - name: Setup Infracost
- uses: infracost/actions/setup@v2
- # See https://github.com/infracost/actions/tree/master/setup for other inputs
- # If you can't use this action, see Docker images in https://infracost.io/cicd
- with:
- api-key: ${{ secrets.INFRACOST_API_KEY }}
- if: github.event_name == 'pull_request'
+ # deploy:
+ # needs: build
+ # name: 'continuous-deployment'
+ # runs-on: ubuntu-latest
+ # environment: development
+ # env:
+ # IMAGE_ID: ${{ needs.build.outputs.image-id }}
+ # permissions:
+ # contents: read
+ # id-token: write
+ # pull-requests: write
+ # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ # # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
+ # defaults:
+ # run:
+ # shell: bash
+ # working-directory: ./deploy
+ # steps:
+ # # Checkout the repository to the GitHub Actions runner
+ # - name: Checkout
+ # uses: actions/checkout@v3
+ # - name: Print Image Tag
+ # run: echo "Tag Name for the Image ${{ env.IMAGE_ID }}"
+ # - name: Configure AWS Credentials Action For GitHub Actions
+ # uses: aws-actions/configure-aws-credentials@v1-node16
+ # with:
+ # role-to-assume: ${{ secrets.IAM_ROLE }}
+ # role-session-name: AWSSession
+ # aws-region: ${{ env.AWS_REGION }}
- # Checkout the base branch of the pull request (e.g. main/master).
- - name: Checkout base branch
- if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
- uses: actions/checkout@v3
- with:
- ref: '${{ github.event.pull_request.base.ref }}'
+ # # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
+ # - name: Setup Terraform
+ # uses: hashicorp/setup-terraform@v1
+
+ # - name: Setup Infracost
+ # uses: infracost/actions/setup@v2
+ # # See https://github.com/infracost/actions/tree/master/setup for other inputs
+ # # If you can't use this action, see Docker images in https://infracost.io/cicd
+ # with:
+ # api-key: ${{ secrets.INFRACOST_API_KEY }}
+ # if: github.event_name == 'pull_request'
+
+ # # Checkout the base branch of the pull request (e.g. main/master).
+ # - name: Checkout base branch
+ # if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
+ # uses: actions/checkout@v3
+ # with:
+ # ref: '${{ github.event.pull_request.base.ref }}'
- # Generate Infracost JSON file as the baseline.
- - name: Generate Infracost cost estimate baseline
- if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
- run: |
- infracost breakdown --path=. \
- --format=json \
- --out-file=/tmp/infracost-base.json
-
- # Checkout the current PR branch so we can create a diff.
- - name: Checkout PR branch
- if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
- uses: actions/checkout@v3
+ # # Generate Infracost JSON file as the baseline.
+ # - name: Generate Infracost cost estimate baseline
+ # if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
+ # run: |
+ # infracost breakdown --path=. \
+ # --format=json \
+ # --out-file=/tmp/infracost-base.json
- # Generate an Infracost diff and save it to a JSON file.
- - name: Generate Infracost diff
- if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
- run: |
- infracost diff --path=. \
- --format=json \
- --compare-to=/tmp/infracost-base.json \
- --out-file=/tmp/infracost.json
-
- # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- - name: Terraform Init
- id: init
- run: terraform init
-
- # Checks that all Terraform configuration files adhere to a canonical format
- - name: Terraform Format
- id: fmt
- run: terraform fmt -check
- # Checks that all Terraform configuration files are correctly written
- - name: Terraform Validate
- id: validate
- run: terraform validate -no-color
- # Generates an execution plan for Terraform
- - name: Terraform Plan
- id: plan
- if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request'
- run: |
- terraform plan -no-color -input=false \
- -var="image_tag=${{ env.IMAGE_ID }}" \
- -out=TFplan.JSON
- continue-on-error: true
-
- # Generate an Infracost diff and save it to a JSON file.
- - name: Generate Infracost diff
- if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }}
- run: |
- infracost diff --path=TFplan.JSON \
- --format=json \
- --out-file=/tmp/infracost.json
-
- - name: Post Infracost estimate
- if: github.event_name == 'pull_request'
- run: |
- infracost comment github --path=/tmp/infracost.json \
- --repo=$GITHUB_REPOSITORY \
- --github-token=${{github.token}} \
- --pull-request=${{github.event.pull_request.number}} \
- --show-skipped \
- --behavior=update
-
- - name: Post Terraform Plan output
- uses: actions/github-script@v6
- if: github.event_name == 'pull_request'
- env:
- PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
- with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
- script: |
- const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
- #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
- #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
- #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
-
- Show Plan
-
- \`\`\`\n
- ${process.env.PLAN}
- \`\`\`
-
-
-
- *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
-
- github.rest.issues.createComment({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- body: output
- })
-
- # On push to "main", build or change infrastructure according to Terraform configuration files
- # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
- - name: Terraform Apply
- if: github.ref == 'refs/heads/main'
- run: |
- terraform apply -auto-approve -input=false \
- -var="image_tag=${{ env.IMAGE_ID }}"
+ # # Checkout the current PR branch so we can create a diff.
+ # - name: Checkout PR branch
+ # if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
+ # uses: actions/checkout@v3
+
+ # # Generate an Infracost diff and save it to a JSON file.
+ # - name: Generate Infracost diff
+ # if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
+ # run: |
+ # infracost diff --path=. \
+ # --format=json \
+ # --compare-to=/tmp/infracost-base.json \
+ # --out-file=/tmp/infracost.json
+
+ # # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
+ # - name: Terraform Init
+ # id: init
+ # run: terraform init
+
+ # # Checks that all Terraform configuration files adhere to a canonical format
+ # - name: Terraform Format
+ # id: fmt
+ # run: terraform fmt -check
+ # # Checks that all Terraform configuration files are correctly written
+ # - name: Terraform Validate
+ # id: validate
+ # run: terraform validate -no-color
+ # # Generates an execution plan for Terraform
+ # - name: Terraform Plan
+ # id: plan
+ # if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request'
+ # run: |
+ # terraform plan -no-color -input=false \
+ # -var="image_tag=${{ env.IMAGE_ID }}" \
+ # -out=TFplan.JSON
+ # continue-on-error: true
+
+ # # Generate an Infracost diff and save it to a JSON file.
+ # - name: Generate Infracost diff
+ # if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }}
+ # run: |
+ # infracost diff --path=TFplan.JSON \
+ # --format=json \
+ # --out-file=/tmp/infracost.json
+
+ # - name: Post Infracost estimate
+ # if: github.event_name == 'pull_request'
+ # run: |
+ # infracost comment github --path=/tmp/infracost.json \
+ # --repo=$GITHUB_REPOSITORY \
+ # --github-token=${{github.token}} \
+ # --pull-request=${{github.event.pull_request.number}} \
+ # --show-skipped \
+ # --behavior=update
+
+ # - name: Post Terraform Plan output
+ # uses: actions/github-script@v6
+ # if: github.event_name == 'pull_request'
+ # env:
+ # PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+ # with:
+ # github-token: ${{ secrets.GITHUB_TOKEN }}
+ # script: |
+ # const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+ # #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+ # #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+ # #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+
+ # Show Plan
+
+ # \`\`\`\n
+ # ${process.env.PLAN}
+ # \`\`\`
+
+ #
+
+ # *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+
+ # github.rest.issues.createComment({
+ # issue_number: context.issue.number,
+ # owner: context.repo.owner,
+ # repo: context.repo.repo,
+ # body: output
+ # })
+
+ # # On push to "main", build or change infrastructure according to Terraform configuration files
+ # # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
+ # - name: Terraform Apply
+ # if: github.ref == 'refs/heads/main'
+ # run: |
+ # terraform apply -auto-approve -input=false \
+ # -var="image_tag=${{ env.IMAGE_ID }}"
\ No newline at end of file
diff --git a/.github/workflows/terraform-ecr.yml b/.github/workflows/terraform-ecr.yml
new file mode 100644
index 0000000..fa199ea
--- /dev/null
+++ b/.github/workflows/terraform-ecr.yml
@@ -0,0 +1,166 @@
+name: terraform-ecr-provisioning
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [ '*' ]
+ paths:
+ - 'app/tf/**'
+ - '.github/workflows/terraform-ecr.yml'
+ pull_request:
+ branches: ["main"]
+ paths:
+ - 'app/tf/**'
+ - '.github/workflows/terraform-ecr.yml'
+env:
+ AWS_REGION: us-east-2 # set this to your preferred AWS region, e.g. us-west-1
+permissions: read-all
+#--------------------------
+#
+# PLEASE READ: Add a GitHub Actions variable 'INFRACOST_SCAN_TYPE' and set the value to either 'hcl_code' or 'tf_plan' depending on what type of Infracost scan desired.
+#
+#--------------------------
+jobs:
+ terraform:
+ name: 'continuous-integration'
+ runs-on: ubuntu-latest
+ environment: development
+ permissions:
+ contents: read
+ id-token: write
+ pull-requests: write
+ # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
+ defaults:
+ run:
+ shell: bash
+ working-directory: ./app/tf
+
+ steps:
+ # Checkout the repository to the GitHub Actions runner
+ - name: Checkout
+ uses: actions/checkout@v3
+
+ - name: Configure AWS Credentials Action For GitHub Actions
+ uses: aws-actions/configure-aws-credentials@v1-node16
+ with:
+ role-to-assume: ${{ secrets.CENTRAL_ACCOUNT_IAM_ROLE }}
+ role-session-name: AWSSession
+ aws-region: ${{ env.AWS_REGION }}
+
+ # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
+ - name: Setup Terraform
+ uses: hashicorp/setup-terraform@v1
+
+ - name: Setup Infracost
+ uses: infracost/actions/setup@v2
+ # See https://github.com/infracost/actions/tree/master/setup for other inputs
+ # If you can't use this action, see Docker images in https://infracost.io/cicd
+ with:
+ api-key: ${{ secrets.INFRACOST_API_KEY }}
+ if: github.event_name == 'pull_request'
+
+ # Checkout the base branch of the pull request (e.g. main/master).
+ - name: Checkout base branch
+ if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
+ uses: actions/checkout@v3
+ with:
+ ref: '${{ github.event.pull_request.base.ref }}'
+
+ # Generate Infracost JSON file as the baseline.
+ - name: Generate Infracost cost estimate baseline
+ if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
+ run: |
+ infracost breakdown --path=. \
+ --format=json \
+ --out-file=/tmp/infracost-base.json
+
+ # Checkout the current PR branch so we can create a diff.
+ - name: Checkout PR branch
+ if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
+ uses: actions/checkout@v3
+
+ # Generate an Infracost diff and save it to a JSON file.
+ - name: Generate Infracost diff
+ if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
+ run: |
+ infracost diff --path=. \
+ --format=json \
+ --compare-to=/tmp/infracost-base.json \
+ --out-file=/tmp/infracost.json
+
+ # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
+ - name: Terraform Init
+ id: init
+ run: terraform init
+
+ # Checks that all Terraform configuration files adhere to a canonical format
+ - name: Terraform Format
+ id: fmt
+ run: terraform fmt -check
+ # Checks that all Terraform configuration files are correctly written
+ - name: Terraform Validate
+ id: validate
+ run: terraform validate -no-color
+ # Generates an execution plan for Terraform
+ - name: Terraform Plan
+ id: plan
+ if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request'
+ run: |
+ terraform plan -no-color -input=false \
+ -out=TFplan.JSON
+ continue-on-error: true
+
+ # Generate an Infracost diff and save it to a JSON file.
+ - name: Generate Infracost diff
+ if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }}
+ run: |
+ infracost diff --path=TFplan.JSON \
+ --format=json \
+ --out-file=/tmp/infracost.json
+
+ - name: Post Infracost estimate
+ if: github.event_name == 'pull_request'
+ run: |
+ infracost comment github --path=/tmp/infracost.json \
+ --repo=$GITHUB_REPOSITORY \
+ --github-token=${{github.token}} \
+ --pull-request=${{github.event.pull_request.number}} \
+ --show-skipped \
+ --behavior=update
+
+ - name: Post Terraform Plan output
+ uses: actions/github-script@v6
+ if: github.event_name == 'pull_request'
+ env:
+ PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ script: |
+ const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+ #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+ #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+ #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+
+ Show Plan
+
+ \`\`\`\n
+ ${process.env.PLAN}
+ \`\`\`
+
+
+
+ *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+
+ github.rest.issues.createComment({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ body: output
+ })
+
+ # On push to "main", build or change infrastructure according to Terraform configuration files
+ # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
+ - name: Terraform Apply
+ if: github.ref == 'refs/heads/main'
+ run: |
+ terraform apply -auto-approve -input=false
\ No newline at end of file