From accfb481065db0b2b89b618a576b0dd6b8a78483 Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Thu, 15 Aug 2024 12:46:38 -0700 Subject: [PATCH 01/13] Refactor image pipeline module names and update workflows --- workflows/terraform-plan.yaml.tpl | 27 +++++---------------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/workflows/terraform-plan.yaml.tpl b/workflows/terraform-plan.yaml.tpl index c941500..2906111 100644 --- a/workflows/terraform-plan.yaml.tpl +++ b/workflows/terraform-plan.yaml.tpl @@ -24,7 +24,9 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v3 - + with: + ref: ${{ github.head_ref }} + token: ${{ secrets.GH_TOKEN }} - uses: CSVD/gh-actions-setup-node@v3 with: @@ -48,7 +50,7 @@ jobs: - name: Autoformat Halt if: env.auto_format == 'true' - run: exit 1 + run: exit 0 - name: Terraform Init id: init @@ -71,23 +73,4 @@ jobs: %{ endif } run: terraform plan continue-on-error: true - - - name: Update Pull Request - uses: CSVD/gh-actions-github-script@v6 - if: github.event_name == 'pull_request' - with: - github-token: $${{ secrets.GH_TOKEN }} - script: | - const output = `#### Terraform Format and Style 🖌\`$${{ steps.fmt.outcome }}\` - #### Terraform Initialization ⚙️\`$${{ steps.init.outcome }}\` - #### Terraform Validation 🤖\`$${{ steps.validate.outcome }}\` - #### Terraform Plan: - $${{ steps.plan.outcome }} - *Pushed by: @$${{ github.actor }}, Action: \`$${{ github.event_name }}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) \ No newline at end of file +L \ No newline at end of file From 9741a63541ea38ae33b5c49836494b2306dbf06f Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Thu, 15 Aug 2024 12:53:14 -0700 Subject: [PATCH 02/13] Refactor image pipeline module names and update workflows --- workflows/terraform-plan.yaml.tpl | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/workflows/terraform-plan.yaml.tpl b/workflows/terraform-plan.yaml.tpl index 2906111..a354a76 100644 --- a/workflows/terraform-plan.yaml.tpl +++ b/workflows/terraform-plan.yaml.tpl @@ -73,4 +73,23 @@ jobs: %{ endif } run: terraform plan continue-on-error: true -L \ No newline at end of file + + - name: Update Pull Request + uses: CSVD/gh-actions-github-script@v6 + if: github.event_name == 'pull_request' + with: + github-token: $${{ secrets.GH_TOKEN }} + script: | + const output = `#### Terraform Format and Style 🖌\`$${{ steps.fmt.outcome }}\` + #### Terraform Initialization ⚙️\`$${{ steps.init.outcome }}\` + #### Terraform Validation 🤖\`$${{ steps.validate.outcome }}\` + #### Terraform Plan: + $${{ steps.plan.outcome }} + *Pushed by: @$${{ github.actor }}, Action: \`$${{ github.event_name }}\`*`; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) From 418ef4f11aa9cff05cd651684ff2f36f7d99702a Mon Sep 17 00:00:00 2001 From: arnol377 Date: Tue, 20 Aug 2024 12:39:14 -0400 Subject: [PATCH 03/13] adding a workspace for managing service accounts --- main.tf | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/main.tf b/main.tf index 6c72d56..5e094db 100644 --- a/main.tf +++ b/main.tf @@ -206,3 +206,45 @@ module "ghe_runners" { collaborators = local.collaborators } +module "aws-service-accounts" { + source = "git@github.e.it.census.gov:CSVD/terraform-github-repo" + github_repo_description = "Manage Repo Specific Runners" + repo_org = "arnol377" + name = "aws-service-accounts" + github_repo_topics = [ + "terraform" + ] + force_name = true + github_is_private = false + create_codeowners = false + enforce_prs = true + collaborators = local.collaborators + pull_request_bypassers = local.pull_request_bypassers + managed_extra_files = [ + { + path = ".github/workflows/terraform-plan.yaml" + content = templatefile( + "${path.module}/workflows/terraform-plan.yaml.tpl", + { + repo_name = "aws-image-pipeline", + directory = null + git_owner = { + name = "arnol377" + email = "david.j.arnold.jr@census.gov" + } + } + ) + }, + { + path = ".github/workflows/terraform-apply.yaml" + content = templatefile( + "${path.module}/workflows/terraform-apply.yaml.tpl", + { + repo_name = "aws-image-pipeline", + directory = null + } + ) + } + ] +} + From 5c4e84048231cf2c7b8ed86bed331a00e6c2d961 Mon Sep 17 00:00:00 2001 From: arnol377 Date: Tue, 20 Aug 2024 12:40:18 -0400 Subject: [PATCH 04/13] Autoformatting TF Code --- main.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index 5e094db..fb66bd7 100644 --- a/main.tf +++ b/main.tf @@ -214,13 +214,13 @@ module "aws-service-accounts" { github_repo_topics = [ "terraform" ] - force_name = true - github_is_private = false - create_codeowners = false - enforce_prs = true - collaborators = local.collaborators + force_name = true + github_is_private = false + create_codeowners = false + enforce_prs = true + collaborators = local.collaborators pull_request_bypassers = local.pull_request_bypassers - managed_extra_files = [ + managed_extra_files = [ { path = ".github/workflows/terraform-plan.yaml" content = templatefile( From 759210328a49ee28047ae6d87ada682d1601fa1e Mon Sep 17 00:00:00 2001 From: arnol377 Date: Tue, 20 Aug 2024 12:41:51 -0400 Subject: [PATCH 05/13] fixing module source --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 5e094db..58e2bbf 100644 --- a/main.tf +++ b/main.tf @@ -207,7 +207,7 @@ module "ghe_runners" { } module "aws-service-accounts" { - source = "git@github.e.it.census.gov:CSVD/terraform-github-repo" + source = "HappyPathway/repo/github" github_repo_description = "Manage Repo Specific Runners" repo_org = "arnol377" name = "aws-service-accounts" From bd52ba5c96ad38b7659ca36b900f844cb2e40b6a Mon Sep 17 00:00:00 2001 From: arnol377 Date: Tue, 20 Aug 2024 14:13:43 -0400 Subject: [PATCH 06/13] adding service-accounts for use with github actions --- data.tf | 1 + iam_policy/session_configuration.json | 27 +++++++++++++++++ main.tf | 43 --------------------------- morpheus.tf | 18 ++++++++++- service-accounts.tf | 5 ++++ 5 files changed, 50 insertions(+), 44 deletions(-) create mode 100644 data.tf create mode 100644 iam_policy/session_configuration.json create mode 100644 service-accounts.tf diff --git a/data.tf b/data.tf new file mode 100644 index 0000000..2502393 --- /dev/null +++ b/data.tf @@ -0,0 +1 @@ +data "aws_region" "current" {} diff --git a/iam_policy/session_configuration.json b/iam_policy/session_configuration.json new file mode 100644 index 0000000..e0b8197 --- /dev/null +++ b/iam_policy/session_configuration.json @@ -0,0 +1,27 @@ +{ + "Statement": [ + { + "Action": "s3:*", + "Effect": "Allow", + "Resource": [ + "arn:aws-us-gov:s3:::inf-test-08230846-acc4-7788-94df-5730ed20c008/*" + ] + }, + { + "Action": "ssm:*", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "secretsmanager:*", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "dynamodb:*", + "Effect": "Allow", + "Resource": "arn:aws-us-gov:dynamodb:us-gov-west-1:229685449397:table/tf_remote_state" + } + ], + "Version": "2012-10-17" +} diff --git a/main.tf b/main.tf index 41c819e..b865579 100644 --- a/main.tf +++ b/main.tf @@ -206,46 +206,3 @@ module "ghe_runners" { enforce_prs = false collaborators = local.collaborators } - -module "aws-service-accounts" { - source = "HappyPathway/repo/github" - github_repo_description = "Manage Repo Specific Runners" - repo_org = "arnol377" - name = "aws-service-accounts" - github_repo_topics = [ - "terraform" - ] - force_name = true - github_is_private = false - create_codeowners = false - enforce_prs = true - collaborators = local.collaborators - pull_request_bypassers = local.pull_request_bypassers - managed_extra_files = [ - { - path = ".github/workflows/terraform-plan.yaml" - content = templatefile( - "${path.module}/workflows/terraform-plan.yaml.tpl", - { - repo_name = "aws-image-pipeline", - directory = null - git_owner = { - name = "arnol377" - email = "david.j.arnold.jr@census.gov" - } - } - ) - }, - { - path = ".github/workflows/terraform-apply.yaml" - content = templatefile( - "${path.module}/workflows/terraform-apply.yaml.tpl", - { - repo_name = "aws-image-pipeline", - directory = null - } - ) - } - ] -} - diff --git a/morpheus.tf b/morpheus.tf index dde3497..b8abed3 100644 --- a/morpheus.tf +++ b/morpheus.tf @@ -21,6 +21,22 @@ module "morpheus_repos" { enforce_prs = true collaborators = { gomez385 = "admin", arnol377 = "admin" } pull_request_bypassers = local.pull_request_bypassers + vars = [ + { + name = "aws_access_key_id", + value = module.aws_session_configuration.iam_credentials.iam_access_key_id + }, + { + name = "aws_default_region", + value = data.aws_region.current.name + } + ] + secrets = [ + { + name = "aws_secret_access_key" + value = module.aws_session_configuration.iam_credentials.iam_secret_access_key + } + ] managed_extra_files = [ { path = ".github/workflows/terraform-plan.yaml" @@ -47,4 +63,4 @@ module "morpheus_repos" { ) } ] -} \ No newline at end of file +} diff --git a/service-accounts.tf b/service-accounts.tf new file mode 100644 index 0000000..3be2ed5 --- /dev/null +++ b/service-accounts.tf @@ -0,0 +1,5 @@ +module "aws_session_configuration" { + source = "HappyPathway/service-account/aws" + iam_policy = file("${path.root}/iam_policy/session_configuration.json") + iam_user_name = "github-actions-s3_upload" +} From cb6d48492a412650add9d39799f5b56e78cef095 Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Tue, 20 Aug 2024 12:50:13 -0700 Subject: [PATCH 07/13] Refactor image pipeline module names and update workflows --- actions_secrets.tf | 14 +++++++++++ image-pipeline.tf | 2 +- main.tf | 2 ++ sandbox.tf | 61 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 actions_secrets.tf create mode 100644 sandbox.tf diff --git a/actions_secrets.tf b/actions_secrets.tf new file mode 100644 index 0000000..2c43dce --- /dev/null +++ b/actions_secrets.tf @@ -0,0 +1,14 @@ +locals { + secrets = [ + "AWS_SECRET_ACCESS_KEY", + "AWS_SESSION_TOKEN", + "AWS_ACCESS_KEY_ID", + "GITHUB_TOKEN" + ] +} + +module "env_var" { + source = "HappyPathway/var/env" + for_each = toset(local.secrets) + env_var = each.value +} diff --git a/image-pipeline.tf b/image-pipeline.tf index e978deb..f19cd98 100644 --- a/image-pipeline.tf +++ b/image-pipeline.tf @@ -132,7 +132,7 @@ module "terraform_aws_image_pipeline" { content = templatefile( "${path.module}/workflows/terraform-plan.yaml.tpl", { - repo_name = "aws-image-pipeline", + repo_name = "terraform-aws-image-pipeline", directory = "./examples" git_owner = { name = "arnol377" diff --git a/main.tf b/main.tf index 6c72d56..3f8fa6a 100644 --- a/main.tf +++ b/main.tf @@ -206,3 +206,5 @@ module "ghe_runners" { collaborators = local.collaborators } + + diff --git a/sandbox.tf b/sandbox.tf new file mode 100644 index 0000000..081143c --- /dev/null +++ b/sandbox.tf @@ -0,0 +1,61 @@ + +locals { + workspace_instances = [ + "arnol377-sandbox" + ] +} + +module "ghe_runners" { + source = "git@github.e.it.census.gov:CSVD/terraform-github-repo" + for_each = toset(local.workspace_instances) + github_repo_description = "Sandbox - ${each.value}" + repo_org = "arnol377" + name = each.value + github_repo_topics = [ + "terraform" + ] + force_name = true + github_is_private = false + create_codeowners = false + enforce_prs = false + collaborators = local.collaborators + managed_extra_files = [ + { + path = ".github/workflows/terraform-plan.yaml" + content = templatefile( + "${path.module}/workflows/terraform-plan.yaml.tpl", + { + repo_name = each.value, + directory = null + git_owner = { + name = "arnol377" + email = "david.j.arnold.jr@census.gov" + } + } + ) + }, + { + path = ".github/workflows/terraform-apply.yaml" + content = templatefile( + "${path.module}/workflows/terraform-apply.yaml.tpl", + { + repo_name = each.value, + directory = null + } + ) + } + ] + secrets = [ + for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"] : + { + name = replace(secret, "GITHUB", "GH") + value = lookup(module.env_var, secret).value + } + ] + vars = [ + { + name = "AWS_ACCESS_KEY_ID" + value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value + } + ] +} \ No newline at end of file From 541131a82af2cccd56023574046f0ece141213cb Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Tue, 20 Aug 2024 12:53:07 -0700 Subject: [PATCH 08/13] chore: Update module name in sandbox.tf --- sandbox.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sandbox.tf b/sandbox.tf index 081143c..0dffc67 100644 --- a/sandbox.tf +++ b/sandbox.tf @@ -5,7 +5,7 @@ locals { ] } -module "ghe_runners" { +module "sandbox" { source = "git@github.e.it.census.gov:CSVD/terraform-github-repo" for_each = toset(local.workspace_instances) github_repo_description = "Sandbox - ${each.value}" From 28bd0953c8a2015d95bad44d23c2c8e73ba22d68 Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Tue, 20 Aug 2024 12:56:50 -0700 Subject: [PATCH 09/13] chore: Update module source in sandbox.tf --- sandbox.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sandbox.tf b/sandbox.tf index 0dffc67..29d3c43 100644 --- a/sandbox.tf +++ b/sandbox.tf @@ -6,7 +6,7 @@ locals { } module "sandbox" { - source = "git@github.e.it.census.gov:CSVD/terraform-github-repo" + source = "HappyPathway/repo/github" for_each = toset(local.workspace_instances) github_repo_description = "Sandbox - ${each.value}" repo_org = "arnol377" From 3920a3e3983cb6c8cb98475ff6b43e395fa12acd Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Tue, 20 Aug 2024 13:03:26 -0700 Subject: [PATCH 10/13] Update terraform_plan.yaml --- .github/workflows/terraform_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 25f471d..b33719c 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -68,7 +68,7 @@ jobs: - name: Terraform Plan id: plan - run: terraform plan -no-color + run: terraform plan continue-on-error: true - uses: CSVD/gh-actions-github-script@v6 From 8ca3751e3bf2fb7eac2c7eb5dc04f78300549076 Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Tue, 20 Aug 2024 13:09:58 -0700 Subject: [PATCH 11/13] Update terraform_plan.yaml --- .github/workflows/terraform_plan.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index b33719c..ee6da92 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -68,13 +68,20 @@ jobs: - name: Terraform Plan id: plan - run: terraform plan + if: github.event_name == 'pull_request' + run: terraform plan -out plans/${{ github.sha }} + continue-on-error: true + + - name: Terraform Plan + id: show_plan + if: github.event_name == 'pull_request' + run: terraform show plans/${{ github.sha }} continue-on-error: true - uses: CSVD/gh-actions-github-script@v6 if: github.event_name == 'pull_request' env: - PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" + PLAN: "terraform\n${{ steps.show_plan.outputs.stdout }}" with: github-token: ${{ secrets.GH_TOKEN }} script: | From 4e162d3105aec886dcda818b3796fa0cf1de714c Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Tue, 20 Aug 2024 13:13:09 -0700 Subject: [PATCH 12/13] Update terraform_plan.yaml --- .github/workflows/terraform_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index ee6da92..4ca8302 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -75,7 +75,7 @@ jobs: - name: Terraform Plan id: show_plan if: github.event_name == 'pull_request' - run: terraform show plans/${{ github.sha }} + run: terraform show -no-color plans/${{ github.sha }} continue-on-error: true - uses: CSVD/gh-actions-github-script@v6 From da0c9691e87d318bc788de60d66a9137e6b19790 Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Tue, 20 Aug 2024 13:16:39 -0700 Subject: [PATCH 13/13] Update sandbox.tf --- sandbox.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sandbox.tf b/sandbox.tf index 29d3c43..99ff22e 100644 --- a/sandbox.tf +++ b/sandbox.tf @@ -18,7 +18,7 @@ module "sandbox" { github_is_private = false create_codeowners = false enforce_prs = false - collaborators = local.collaborators + collaborators = {"arnol377": "admin"} managed_extra_files = [ { path = ".github/workflows/terraform-plan.yaml" @@ -58,4 +58,4 @@ module "sandbox" { value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value } ] -} \ No newline at end of file +}