From 1050676b2e0bc645f5ba55d36b78fe72650e3a0d Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Mon, 7 Oct 2024 16:15:42 -0700 Subject: [PATCH 1/5] Repo cleanup (#21) * pushing latest --- imported-repos.tf | 14 ++++++++++++ main.tf | 17 --------------- repolist.tf | 18 +++++++--------- varfiles/default.tfvars | 48 ++++++++++++++++++++++++++++++++++++++++- variables.tf | 1 + 5 files changed, 70 insertions(+), 28 deletions(-) create mode 100644 imported-repos.tf diff --git a/imported-repos.tf b/imported-repos.tf new file mode 100644 index 0000000..cfc8959 --- /dev/null +++ b/imported-repos.tf @@ -0,0 +1,14 @@ +module "netbackup_automation_platform" { + source = "HappyPathway/gh-actions/importer" + github_repo_topics = [] + vulnerability_alerts = false + public_repo = { + default_branch = "main" + clone_url = "https://github.com/VeritasOS/netbackup-automation-platform.git" + } + internal_repo = { + name = "netbackup-automation-platform" + org = "CSVD" + topics = ["automation-platform"] + } +} diff --git a/main.tf b/main.tf index a10c620..1205503 100644 --- a/main.tf +++ b/main.tf @@ -68,23 +68,6 @@ module "csvd-org-management" { github_org_teams = local.github_organization_teams } -module "external-actions" { - source = "HappyPathway/repo/github" - #github_codeowners_team = "CSVD" - github_repo_description = "Automation Repos for Morpheus POC" - repo_org = "CSVD" - name = "external-actions" - github_repo_topics = [ - "terraform" - ] - force_name = true - create_codeowners = false - enforce_prs = false - collaborators = local.collaborators - pull_request_bypassers = local.pull_request_bypassers - github_org_teams = local.github_organization_teams -} - module "github-runner-images" { source = "HappyPathway/repo/github" #github_codeowners_team = "CSVD" diff --git a/repolist.tf b/repolist.tf index 4c11376..bed6c3a 100644 --- a/repolist.tf +++ b/repolist.tf @@ -5,14 +5,12 @@ module "repo_list" { github_repo_description = each.value.description repo_org = each.value.repo_org name = each.value.name - github_repo_topics = [ - "terraform" - ] - is_template = each.value.is_template - force_name = true - create_codeowners = false - enforce_prs = each.value.enforce_prs - collaborators = local.collaborators - pull_request_bypassers = local.pull_request_bypassers - github_org_teams = local.github_organization_teams + github_repo_topics = each.value.repo_topics + is_template = each.value.is_template + force_name = true + create_codeowners = false + enforce_prs = each.value.enforce_prs + collaborators = local.collaborators + pull_request_bypassers = local.pull_request_bypassers + github_org_teams = local.github_organization_teams } diff --git a/varfiles/default.tfvars b/varfiles/default.tfvars index 6ad4a1d..9e37a68 100644 --- a/varfiles/default.tfvars +++ b/varfiles/default.tfvars @@ -7,11 +7,57 @@ repolist = [ description = "Managing AWS CSVD Secrets" repo_org = "CSVD" name = "aws-secrets" + repo_topics = [ + "terraform-tools" + ] }, { description = "Tools for managing Terraform" repo_org = "CSVD" name = "tf-tools" - } + repo_topics = [ + "terraform-tools" + ] + }, + { + description = "Composite Action for Terraform-Validate" + repo_org = "CSVD" + name = "terraform-validate" + repo_topics = [ + "composite-action" + ] + }, + { + description = "Composite Action for Terraform-Plan" + repo_org = "CSVD" + name = "terraform-plan" + repo_topics = [ + "composite-action" + ] + }, + { + description = "Composite Action for Terraform-Apply" + repo_org = "CSVD" + name = "terraform-apply" + repo_topics = [ + "composite-action" + ] + }, + { + description = "Composite Action for Terraform-Apply" + repo_org = "CSVD" + name = "terraform-init" + repo_topics = [ + "composite-action" + ] + }, + { + description = "Composite Action for AWS Auth" + repo_org = "CSVD" + name = "aws-auth" + repo_topics = [ + "composite-action" + ] + } ] diff --git a/variables.tf b/variables.tf index 82faa87..a8b1a49 100644 --- a/variables.tf +++ b/variables.tf @@ -10,6 +10,7 @@ variable "repolist" { is_template = optional(bool, false) create_codeowners = optional(bool, false) enforce_prs = optional(bool, false) + repo_topics = optional(list(string), ["terraform-workspace"]) })) default = [] } From 0f44bd062be183fce6b636b2e5e87af51bfaf8a0 Mon Sep 17 00:00:00 2001 From: James Farr Gomez Date: Wed, 9 Oct 2024 16:03:31 -0700 Subject: [PATCH 2/5] Refactor Terraform workflow to use GitHub Actions setup and cache (#22) * Refactor Terraform workflow to use GitHub Actions setup and cache This commit refactors the Terraform workflow to use the GitHub Actions setup and cache. It removes the unnecessary steps for checking out the repository and blowing up the .terraform directory. It also adds the setup for AWS and GitHub credentials. The Terraform init and plan steps are now using the CSVD/terraform-init and CSVD/terraform-plan actions, respectively, with specific versions and workspace configurations. * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml --------- Co-authored-by: David John Arnold Jr --- .github/workflows/terraform_plan.yaml | 77 +++++++++++++++------------ 1 file changed, 42 insertions(+), 35 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index d57aa70..fb864b0 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -16,57 +16,64 @@ jobs: runs-on: [ "229685449397" ] env: -# GITHUB_APP_ID: ${{ vars.GH_APP_ID }} GITHUB_APP_INSTALLATION_ID: ${{ vars.GH_APP_INSTALLATION_ID }} GITHUB_APP_PEM_FILE: ${{ secrets.GH_APP_PEM_FILE }} -# GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} GITHUB_OWNER: CSVD GITHUB_BASE_URL: https://github.e.it.census.gov/ TF_WORKSPACE: ${{ vars.terraform_workspace }} TF_CLI_ARGS_plan: -lock-timeout=30m TF_CLI_ARGS_apply: -lock-timeout=30m + NO_PROXY: ${{ vars.NO_PROXY }} # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 - - - uses: CSVD/gh-actions-setup-node@v3 + - uses: CSVD/gh-actions-checkout@v4 + id: checkout with: - node-version: 16 - - - name: blow up .terraform - run: rm -rf ${{ github.workspace }}/.terraform || echo "nope" - - - name: Setup AWS Credentials - id: aws_credentials - run: | - curl -qL -o aws_credentials.json http://169.254.170.2/${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI} > aws_credentials.json - aws configure set aws_access_key_id `jq -r '.AccessKeyId' aws_credentials.json` - echo AWS_ACCESS_KEY_ID=`jq -r '.AccessKeyId' aws_credentials.json` >> $GITHUB_ENV - aws configure set aws_secret_access_key `jq -r '.SecretAccessKey' aws_credentials.json` - echo AWS_SECRET_ACCESS_KEY=`jq -r '.SecretAccessKey' aws_credentials.json` >> $GITHUB_ENV - aws configure set aws_session_token `jq -r '.Token' aws_credentials.json` - echo AWS_SESSION_TOKEN=`jq -r '.Token' aws_credentials.json` >> $GITHUB_ENV + persist-credentials: false + - name: AWS Auth + id: aws_auth + uses: CSVD/aws-auth@main + with: + ecs: true + - name: Setup GITHUB Credentials id: github_credentials run: | echo GITHUB_TOKEN=$(python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL") >> $GITHUB_ENV - + - name: Terraform Init - id: init - run: /opt/tfenv/bin/terraform init -upgrade + uses: CSVD/terraform-init@main + id: terraform_init + with: + commit_sha: ${{ steps.checkout.outputs.commit }} + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + setup_terraform: true + terraform_init: true + env: + GITHUB_TOKEN: $GITHUB_TOKEN + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: $${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + +# - name: Terraform Plan +# uses: CSVD/terraform-plan@main +# with: +# terraform_version: "1.9.1" +# workspace: ${{ vars.terraform_workspace }} +# commit_sha: ${{ steps.terraform_init.outputs.commit_sha }} +# varfile: varfiles/${{ vars.terraform_workspace }}.tfvars +# download_cache: true +# setup_terraform: false +# env: +# AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} +# AWS_SECRET_ACCESS_KEY: $${{ steps.aws_auth.outputs.aws_secret_access_key }} +# AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} +# GITHUB_TOKEN: $GITHUB_TOKEN +# HTTP_PROXY: http://proxy.tco.census.gov:3128 +# HTTPS_PROXY: http://proxy.tco.census.gov:3128 +# NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" - - name: Terraform Validate - id: validate - run: /opt/tfenv/bin/terraform validate - - name: Terraform Plan - id: plan - run: /opt/tfenv/bin/terraform plan -var-file=varfiles/${{ vars.terraform_workspace }}.tfvars - -# - name: Terraform Apply -# id: plan -# run: /opt/tfenv/bin/terraform apply -auto-approve -var-file=varfiles/${{ vars.terraform_workspace }}.tfvars -# continue-on-error: true From 55e9e3c4656e52aa7099da47b6518952d98932d7 Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Thu, 10 Oct 2024 11:14:01 -0700 Subject: [PATCH 3/5] Update terraform_plan.yaml --- .github/workflows/terraform_plan.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index fb864b0..49d8db5 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -6,6 +6,9 @@ on: pull_request: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: + +concurrency: + group: ${{ github.repo }}-${{ vars.terraform_workspace }} permissions: write-all # A workflow run is made up of one or more jobs that can run sequentially or in parallel From 498a345840d6a8f42d3b9026412060c1d18030da Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Thu, 10 Oct 2024 12:55:59 -0700 Subject: [PATCH 4/5] Update terraform_plan.yaml --- .github/workflows/terraform_plan.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 49d8db5..eeb725f 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -61,6 +61,11 @@ jobs: AWS_SECRET_ACCESS_KEY: $${{ steps.aws_auth.outputs.aws_secret_access_key }} AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + - name: debug outputs + run: | + echo S3 Upload Path: ${{ jobs.terraform_init.outputs.s3_upload_path }}" + echo Commit SHA: ${{ jobs.terraform_init.outputs.commit_sha }}" + # - name: Terraform Plan # uses: CSVD/terraform-plan@main # with: From 24c49887d3e68ca32279e568be42aac18c92a260 Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Thu, 10 Oct 2024 12:57:16 -0700 Subject: [PATCH 5/5] Update terraform_plan.yaml --- .github/workflows/terraform_plan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index eeb725f..1c7dc65 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -63,8 +63,8 @@ jobs: - name: debug outputs run: | - echo S3 Upload Path: ${{ jobs.terraform_init.outputs.s3_upload_path }}" - echo Commit SHA: ${{ jobs.terraform_init.outputs.commit_sha }}" + echo S3 Upload Path: ${{ job.terraform_init.outputs.s3_upload_path }}" + echo Commit SHA: ${{ job.terraform_init.outputs.commit_sha }}" # - name: Terraform Plan # uses: CSVD/terraform-plan@main