Skip to content

Commit

Permalink
Csvd common (#4)
Browse files Browse the repository at this point in the history 
* adding new env

* adding csvd-common-ew runners

* Update terraform_plan.yaml

* Update terraform_apply.yaml
  • Loading branch information
@arnol377
arnol377 committed Oct 30, 2024
1 parent fb72a8e commit 1af9374
Show file tree
Hide file tree
Showing 11 changed files with 252 additions and 148 deletions.
155 changes: 119 additions & 36 deletions .github/workflows/terraform_apply.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,56 +4,139 @@ name: Terraform Apply
# Controls when the workflow will run
on:
push:
branches: [ "main" ]
branches:
- main
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:


concurrency:
group: ${{ github.repo }}-${{ vars.terraform_workspace }}

permissions: write-all
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
Plan:
# The type of runner that the job will run on
runs-on: [ ghe-runners ]
runs-on: ["229685449397"]

env:
AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}"
AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}"
GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}"
TF_WORKSPACE: ${{ vars.terraform_workspace }}
TF_CLI_ARGS_plan: -lock-timeout=30m
TF_CLI_ARGS_apply: -lock-timeout=30m
NO_PROXY: ${{ vars.NO_PROXY }}

outputs:
commit_sha: "${{ steps.git_show.outputs.commit_sha }}"
cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }}
github_token: ${{ steps.github_credentials.outputs.github_token }}
aws_access_key_id: ${{ steps.aws_auth.outputs.aws_access_key_id }}
aws_secret_access_key: ${{ steps.aws_auth.outputs.aws_secret_access_key }}
aws_session_token: ${{ steps.aws_auth.outputs.aws_session_token }}


# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3

- uses: CSVD/gh-actions-checkout@v4
id: checkout
with:
persist-credentials: false

- uses: CSVD/gh-actions-setup-node@v3
- name: git show
id: git_show
run: |
echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_ENV
echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_OUTPUT
- name: AWS Auth
id: aws_auth
uses: CSVD/aws-auth@main
with:
node-version: 16

- uses: CSVD/gh-actions-setup-terraform@v2
ecs: true

- name: Setup GITHUB Credentials
id: github_credentials
uses: CSVD/gh-auth@main
with:
terraform_wrapper: false
terraform_version: ${{ vars.terraform_version }}
github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
github_base_url: "${{ github.server_url }}/"

- name: Terraform Format
id: fmt
run: |
terraform fmt -check
- name: Autoformat Halt
if: env.auto_format == 'true'
run: exit 1

- name: Terraform Init
id: init
run: terraform init -upgrade

- name: Terraform Validate
id: validate
run: terraform validate
uses: CSVD/terraform-init@main
id: terraform_init
with:
commit_sha: ${{ env.commit_sha }}
checkout: false
terraform_version: "1.9.1"
workspace: ${{ vars.terraform_workspace }}
setup_terraform: true
terraform_init: true
env:
GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }}
AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }}
AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }}

- name: Terraform Plan
uses: CSVD/terraform-plan@main
with:
terraform_version: "1.9.1"
workspace: ${{ vars.terraform_workspace }}
commit_sha: ${{ steps.terraform_init.outputs.commit_sha }}
varfile: varfiles/${{ vars.terraform_workspace }}.tfvars
download_cache: true
setup_terraform: false
cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }}
env:
AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }}
AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }}
GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }}
GITHUB_OWNER: ${{ github.repository_owner }}
GITHUB_BASE_URL: "${{ github.server_url }}/"
HTTP_PROXY: http://proxy.tco.census.gov:3128
HTTPS_PROXY: http://proxy.tco.census.gov:3128
NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com"

Apply:
# The type of runner that the job will run on
runs-on: ["229685449397"]
needs: Plan
environment: requires_approval
steps:
- name: AWS Auth
id: aws_auth
uses: CSVD/aws-auth@main
with:
ecs: true

- name: Setup GITHUB Credentials
id: github_credentials
uses: CSVD/gh-auth@main
with:
github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
github_base_url: "${{ github.server_url }}/"

- name: Terraform Apply
id: plan
run: terraform apply -auto-approve
continue-on-error: true
uses: CSVD/terraform-apply@main
with:
terraform_version: "1.9.1"
workspace: ${{ vars.terraform_workspace }}
commit_sha: ${{ needs.Plan.outputs.commit_sha }}
download_cache: true
setup_terraform: true
terraform_wrapper: false
cache_key: ${{ needs.Plan.outputs.cache_key }}
env:
AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }}
AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }}
GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }}
GITHUB_OWNER: ${{ github.repository_owner }}
GITHUB_BASE_URL: "${{ github.server_url }}/"
HTTP_PROXY: http://proxy.tco.census.gov:3128
HTTPS_PROXY: http://proxy.tco.census.gov:3128
NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com"


158 changes: 62 additions & 96 deletions .github/workflows/terraform_plan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,117 +4,83 @@ name: Terraform Plan
# Controls when the workflow will run
on:
pull_request:
# Allows you to run this workflow manually from the Actions tab
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

concurrency:
group: ${{ github.repo }}-${{ vars.terraform_workspace }}

permissions: write-all
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
Plan:
# The type of runner that the job will run on
runs-on: [ "229685449397" ]
runs-on: ["229685449397"]

env:
AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}"
AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}"
GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}"
TF_WORKSPACE: ${{ vars.terraform_workspace }}
TF_CLI_ARGS_plan: -lock-timeout=30m
TF_CLI_ARGS_apply: -lock-timeout=30m
NO_PROXY: ${{ vars.NO_PROXY }}


# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: CSVD/gh-actions-checkout@v3
- uses: CSVD/gh-actions-checkout@v4
id: checkout
with:
github-server-url: https://github.e.it.census.gov
ref: ${{ github.head_ref }}
token: ${{ secrets.GH_TOKEN }}
persist-credentials: false


- uses: CSVD/gh-actions-setup-node@v3
- name: git show
run: echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_ENV

- name: AWS Auth
id: aws_auth
uses: CSVD/aws-auth@main
with:
node-version: 16

- uses: CSVD/gh-actions-setup-terraform@v2
ecs: true

- name: Setup GITHUB Credentials
id: github_credentials
uses: CSVD/gh-auth@main
with:
terraform_version: ${{ vars.terraform_version }}
github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
github_base_url: "${{ github.server_url }}/"

- name: Set output
id: vars
run: echo ::set-output name=short_ref::${GITHUB_REF#refs/*/}

- name: Terraform Format
id: fmt
run: |
terraform fmt
if ! git diff-index --quiet HEAD; then
git config --global user.name '${{ vars.REPO_OWNER }}'
git config --global user.email '${{ vars.REPO_OWNER_EMAIL }}'
git commit -am "Autoformatting TF Code"
git push
echo "auto_format=true" >> $GITHUB_ENV
fi
- name: Autoformat Halt
if: env.auto_format == 'true'
run: exit 0

- name: Terraform Init
id: init
run: terraform init -upgrade

- name: Terraform Validate
id: validate
run: terraform validate -no-color

- name: Terraform Plan
id: plan
if: github.event_name == 'pull_request'
run: terraform plan -no-color -out=${{ vars.plan_cache }}/${{ github.sha }}
continue-on-error: true

- name: Terraform Plan
if: github.event_name != 'pull_request'
run: terraform plan -no-color
continue-on-error: true

- name: Terraform Show plan
if: github.event_name == 'pull_request'
run: echo ::set-output name=terraform_plan::$(terraform show ${{ vars.plan_cache }}/${{ github.sha }})

- name: Post Terraform Plan to PR
uses: CSVD/gh-actions-github-script@v6
if: github.event_name == 'pull_request'
uses: CSVD/terraform-init@main
id: terraform_init
with:
commit_sha: ${{ env.commit_sha }}
checkout: false
terraform_version: "1.9.1"
workspace: ${{ vars.terraform_workspace }}
setup_terraform: true
terraform_init: true
env:
PLAN: "terraform\n${{ env.terraform_plan }}"
GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }}
AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }}
AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }}

- name: Terraform Plan
uses: CSVD/terraform-plan@main
with:
github-token: ${{ secrets.GH_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
terraform_version: "1.9.1"
workspace: ${{ vars.terraform_workspace }}
commit_sha: ${{ steps.terraform_init.outputs.commit_sha }}
varfile: varfiles/${{ vars.terraform_workspace }}.tfvars
download_cache: true
setup_terraform: false
cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }}
env:
AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }}
AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }}
GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }}
GITHUB_OWNER: ${{ github.repository_owner }}
GITHUB_BASE_URL: "${{ github.server_url }}/"
HTTP_PROXY: http://proxy.tco.census.gov:3128
HTTPS_PROXY: http://proxy.tco.census.gov:3128
NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com"
2 changes: 0 additions & 2 deletions .targets
View file

This file was deleted.

7 changes: 7 additions & 0 deletions app_setup.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#data "aws_secretsmanager_secret" "app_install" {
# name = "github-runners/github/secrets-key"
#}

#output app_install {
# value = data.aws_secretsmanager_secret.app_install
#}
4 changes: 4 additions & 0 deletions backend-configs/csvd-common-ew.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
bucket = "inf-tfstate-220615867784"
key = "csvd-common-ew/common/apps/ghe-runner"
region = "us-gov-east-1"
dynamodb_table = "tf_remote_state"
4 changes: 4 additions & 0 deletions backend-configs/csvd-dev-ew.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
bucket = "inf-tfstate-229685449397"
key = "csvd-dev-gov/common/apps/ghe-runner"
region = "us-gov-east-1"
dynamodb_table = "tf_remote_state"
4 changes: 3 additions & 1 deletion default.auto.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ image_name = "github-runner"
image_version = "1.65.0"
server_url = "https://github.e.it.census.gov"
create_vpc_endpoint = true
create_ecs_cluster = true
create_ecs_cluster = false

ecs_cluster_name = "ecs-ghe-runners"
vpc_id = "vpc-00576a396ec570b94"
Expand All @@ -21,3 +21,5 @@ certs = {
bucket = "image-pipeline-assets"
key = "katello-server-ca.pem"
}

aws_account = "csvd-dev-ew"

0 comments on commit 1af9374

Please sign in to comment.