diff --git a/.github/workflows/terraform_apply.yaml b/.github/workflows/terraform_apply.yaml index 3055a9c..12c67b3 100644 --- a/.github/workflows/terraform_apply.yaml +++ b/.github/workflows/terraform_apply.yaml @@ -4,56 +4,139 @@ name: Terraform Apply # Controls when the workflow will run on: push: - branches: [ "main" ] + branches: + - main # Allows you to run this workflow manually from the Actions tab workflow_dispatch: - + +concurrency: + group: ${{ github.repo }}-${{ vars.terraform_workspace }} + +permissions: write-all # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" - build: + Plan: # The type of runner that the job will run on - runs-on: [ ghe-runners ] + runs-on: ["229685449397"] + env: - AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" - AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}" - GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" + TF_WORKSPACE: ${{ vars.terraform_workspace }} + TF_CLI_ARGS_plan: -lock-timeout=30m + TF_CLI_ARGS_apply: -lock-timeout=30m + NO_PROXY: ${{ vars.NO_PROXY }} + + outputs: + commit_sha: "${{ steps.git_show.outputs.commit_sha }}" + cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }} + github_token: ${{ steps.github_credentials.outputs.github_token }} + aws_access_key_id: ${{ steps.aws_auth.outputs.aws_access_key_id }} + aws_secret_access_key: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + aws_session_token: ${{ steps.aws_auth.outputs.aws_session_token }} - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 - + - uses: CSVD/gh-actions-checkout@v4 + id: checkout + with: + persist-credentials: false - - uses: CSVD/gh-actions-setup-node@v3 + - name: git show + id: git_show + run: | + echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_ENV + echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_OUTPUT + + - name: AWS Auth + id: aws_auth + uses: CSVD/aws-auth@main with: - node-version: 16 - - - uses: CSVD/gh-actions-setup-terraform@v2 + ecs: true + + - name: Setup GITHUB Credentials + id: github_credentials + uses: CSVD/gh-auth@main with: - terraform_wrapper: false - terraform_version: ${{ vars.terraform_version }} + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + github_base_url: "${{ github.server_url }}/" - - name: Terraform Format - id: fmt - run: | - terraform fmt -check - - - name: Autoformat Halt - if: env.auto_format == 'true' - run: exit 1 - - name: Terraform Init - id: init - run: terraform init -upgrade - - - name: Terraform Validate - id: validate - run: terraform validate + uses: CSVD/terraform-init@main + id: terraform_init + with: + commit_sha: ${{ env.commit_sha }} + checkout: false + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + setup_terraform: true + terraform_init: true + env: + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + + - name: Terraform Plan + uses: CSVD/terraform-plan@main + with: + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + commit_sha: ${{ steps.terraform_init.outputs.commit_sha }} + varfile: varfiles/${{ vars.terraform_workspace }}.tfvars + download_cache: true + setup_terraform: false + cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }} + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + GITHUB_OWNER: ${{ github.repository_owner }} + GITHUB_BASE_URL: "${{ github.server_url }}/" + HTTP_PROXY: http://proxy.tco.census.gov:3128 + HTTPS_PROXY: http://proxy.tco.census.gov:3128 + NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" + + Apply: + # The type of runner that the job will run on + runs-on: ["229685449397"] + needs: Plan + environment: requires_approval + steps: + - name: AWS Auth + id: aws_auth + uses: CSVD/aws-auth@main + with: + ecs: true + + - name: Setup GITHUB Credentials + id: github_credentials + uses: CSVD/gh-auth@main + with: + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + github_base_url: "${{ github.server_url }}/" - name: Terraform Apply - id: plan - run: terraform apply -auto-approve - continue-on-error: true + uses: CSVD/terraform-apply@main + with: + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + commit_sha: ${{ needs.Plan.outputs.commit_sha }} + download_cache: true + setup_terraform: true + terraform_wrapper: false + cache_key: ${{ needs.Plan.outputs.cache_key }} + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + GITHUB_OWNER: ${{ github.repository_owner }} + GITHUB_BASE_URL: "${{ github.server_url }}/" + HTTP_PROXY: http://proxy.tco.census.gov:3128 + HTTPS_PROXY: http://proxy.tco.census.gov:3128 + NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" + + diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 5d5681b..335080b 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -4,117 +4,83 @@ name: Terraform Plan # Controls when the workflow will run on: pull_request: - # Allows you to run this workflow manually from the Actions tab + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: + +concurrency: + group: ${{ github.repo }}-${{ vars.terraform_workspace }} +permissions: write-all # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" - build: + Plan: # The type of runner that the job will run on - runs-on: [ "229685449397" ] + runs-on: ["229685449397"] + env: - AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" - AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}" - GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" + TF_WORKSPACE: ${{ vars.terraform_workspace }} + TF_CLI_ARGS_plan: -lock-timeout=30m + TF_CLI_ARGS_apply: -lock-timeout=30m + NO_PROXY: ${{ vars.NO_PROXY }} - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: CSVD/gh-actions-checkout@v3 + - uses: CSVD/gh-actions-checkout@v4 + id: checkout with: - github-server-url: https://github.e.it.census.gov - ref: ${{ github.head_ref }} - token: ${{ secrets.GH_TOKEN }} + persist-credentials: false - - - uses: CSVD/gh-actions-setup-node@v3 + - name: git show + run: echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_ENV + + - name: AWS Auth + id: aws_auth + uses: CSVD/aws-auth@main with: - node-version: 16 - - - uses: CSVD/gh-actions-setup-terraform@v2 + ecs: true + + - name: Setup GITHUB Credentials + id: github_credentials + uses: CSVD/gh-auth@main with: - terraform_version: ${{ vars.terraform_version }} + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + github_base_url: "${{ github.server_url }}/" - - name: Set output - id: vars - run: echo ::set-output name=short_ref::${GITHUB_REF#refs/*/} - - - name: Terraform Format - id: fmt - run: | - terraform fmt - if ! git diff-index --quiet HEAD; then - git config --global user.name '${{ vars.REPO_OWNER }}' - git config --global user.email '${{ vars.REPO_OWNER_EMAIL }}' - git commit -am "Autoformatting TF Code" - git push - echo "auto_format=true" >> $GITHUB_ENV - fi - - - name: Autoformat Halt - if: env.auto_format == 'true' - run: exit 0 - - name: Terraform Init - id: init - run: terraform init -upgrade - - - name: Terraform Validate - id: validate - run: terraform validate -no-color - - - name: Terraform Plan - id: plan - if: github.event_name == 'pull_request' - run: terraform plan -no-color -out=${{ vars.plan_cache }}/${{ github.sha }} - continue-on-error: true - - - name: Terraform Plan - if: github.event_name != 'pull_request' - run: terraform plan -no-color - continue-on-error: true - - - name: Terraform Show plan - if: github.event_name == 'pull_request' - run: echo ::set-output name=terraform_plan::$(terraform show ${{ vars.plan_cache }}/${{ github.sha }}) - - - name: Post Terraform Plan to PR - uses: CSVD/gh-actions-github-script@v6 - if: github.event_name == 'pull_request' + uses: CSVD/terraform-init@main + id: terraform_init + with: + commit_sha: ${{ env.commit_sha }} + checkout: false + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + setup_terraform: true + terraform_init: true env: - PLAN: "terraform\n${{ env.terraform_plan }}" + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + + - name: Terraform Plan + uses: CSVD/terraform-plan@main with: - github-token: ${{ secrets.GH_TOKEN }} - script: | - const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` - #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` - #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` -
Validation Output - - \`\`\`\n - ${{ steps.validate.outputs.stdout }} - \`\`\` - -
- - #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` - -
Show Plan - - \`\`\`\n - ${process.env.PLAN} - \`\`\` - -
- - *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + commit_sha: ${{ steps.terraform_init.outputs.commit_sha }} + varfile: varfiles/${{ vars.terraform_workspace }}.tfvars + download_cache: true + setup_terraform: false + cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }} + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + GITHUB_OWNER: ${{ github.repository_owner }} + GITHUB_BASE_URL: "${{ github.server_url }}/" + HTTP_PROXY: http://proxy.tco.census.gov:3128 + HTTPS_PROXY: http://proxy.tco.census.gov:3128 + NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" diff --git a/.targets b/.targets deleted file mode 100644 index b866136..0000000 --- a/.targets +++ /dev/null @@ -1,2 +0,0 @@ -aws_iam_policy.policy -aws_iam_policy.admin_policy diff --git a/app_setup.tf b/app_setup.tf new file mode 100644 index 0000000..f8a81f0 --- /dev/null +++ b/app_setup.tf @@ -0,0 +1,7 @@ +#data "aws_secretsmanager_secret" "app_install" { +# name = "github-runners/github/secrets-key" +#} + +#output app_install { +# value = data.aws_secretsmanager_secret.app_install +#} diff --git a/backend-configs/csvd-common-ew.tf b/backend-configs/csvd-common-ew.tf new file mode 100644 index 0000000..98a3486 --- /dev/null +++ b/backend-configs/csvd-common-ew.tf @@ -0,0 +1,4 @@ +bucket = "inf-tfstate-220615867784" +key = "csvd-common-ew/common/apps/ghe-runner" +region = "us-gov-east-1" +dynamodb_table = "tf_remote_state" diff --git a/backend-configs/csvd-dev-ew.tf b/backend-configs/csvd-dev-ew.tf new file mode 100644 index 0000000..b7dc755 --- /dev/null +++ b/backend-configs/csvd-dev-ew.tf @@ -0,0 +1,4 @@ +bucket = "inf-tfstate-229685449397" +key = "csvd-dev-gov/common/apps/ghe-runner" +region = "us-gov-east-1" +dynamodb_table = "tf_remote_state" diff --git a/default.auto.tfvars b/default.auto.tfvars index 0e42c1b..52c4e39 100644 --- a/default.auto.tfvars +++ b/default.auto.tfvars @@ -3,7 +3,7 @@ image_name = "github-runner" image_version = "1.65.0" server_url = "https://github.e.it.census.gov" create_vpc_endpoint = true -create_ecs_cluster = true +create_ecs_cluster = false ecs_cluster_name = "ecs-ghe-runners" vpc_id = "vpc-00576a396ec570b94" @@ -21,3 +21,5 @@ certs = { bucket = "image-pipeline-assets" key = "katello-server-ca.pem" } + +aws_account = "csvd-dev-ew" diff --git a/ecs_cluster.tf b/ecs_cluster.tf new file mode 100644 index 0000000..7f93a4c --- /dev/null +++ b/ecs_cluster.tf @@ -0,0 +1,23 @@ +# __generated__ by Terraform +# Please review these resources and move them into your main configuration files. + +# __generated__ by Terraform from "ecs-ghe-runners-us-gov-west-1" +resource "aws_ecs_cluster" "github-runner" { + count = var.create_ecs_cluster ? 1 : 0 + name = "${var.ecs_cluster_name}-${data.aws_region.current.name}" + tags = {} + tags_all = {} + setting { + name = "containerInsights" + value = "disabled" + } +} + +data "aws_ecs_cluster" "github-runner" { + count = var.create_ecs_cluster ? 0 : 1 + cluster_name = "${var.ecs_cluster_name}-${data.aws_region.current.name}" +} + +locals { + ecs_cluster = var.create_ecs_cluster ? one(aws_ecs_cluster.github-runner) : merge(one(data.aws_ecs_cluster.github-runner), { name = one(data.aws_ecs_cluster.github-runner).cluster_name }) +} diff --git a/main.tf b/main.tf index 37fc5da..170f2ca 100644 --- a/main.tf +++ b/main.tf @@ -1,11 +1,3 @@ -data "aws_ecs_cluster" "github-runner" { - cluster_name = "${var.ecs_cluster_name}-${data.aws_region.current.name}" -} - -locals { - ecs_cluster = data.aws_ecs_cluster.github-runner.cluster_name -} - data "aws_ip_ranges" "ip_ranges" { regions = ["us-gov-west-1", "us-gov-east-1"] services = ["s3", "dynamodb"] @@ -72,7 +64,7 @@ resource "aws_vpc_endpoint" "ecr" { } resource "aws_ecs_cluster_capacity_providers" "fargate" { - cluster_name = local.ecs_cluster + cluster_name = local.ecs_cluster.name capacity_providers = ["FARGATE"] @@ -94,9 +86,9 @@ locals { module "github-runner" { # for_each = toset([for repo in local.all_repos : repo]) source = "HappyPathway/github-runner/ecs" - ecs_cluster = local.ecs_cluster + ecs_cluster = local.ecs_cluster.name hostname = var.repo_org - image = "229685449397.dkr.ecr.us-gov-west-1.amazonaws.com/github-runners/${var.image_name}:${var.image_version}" + image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/github-runners/${var.image_name}:${var.image_version}" repo_org = var.repo_org # repo_name = each.value namespace = "${lower(var.repo_org)}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}" @@ -116,6 +108,7 @@ module "github-runner" { runner_labels = [ var.aws_account, lower(var.repo_org), + var.aws_account, "${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}", data.aws_caller_identity.current.account_id, data.aws_region.current.name, @@ -129,7 +122,8 @@ module "github-runner" { } tag = "github-runner" depends_on = [ - aws_iam_policy.policy + aws_iam_policy.policy, + aws_vpc_endpoint.ecr ] } diff --git a/varfiles/csvd-common-ew.tfvars b/varfiles/csvd-common-ew.tfvars new file mode 100644 index 0000000..5fc9686 --- /dev/null +++ b/varfiles/csvd-common-ew.tfvars @@ -0,0 +1,23 @@ +namespace = "csvd-common-ew" +repo_org = "CSVD" +desired_count = 1 +create_ecs_cluster = true +# create_vpc_endpoint = false +aws_account = "csvd-common-ew" + +ecs_cluster_name = "ecs-ghe-runners" +vpc_id = "vpc-0da08a2244f23b246" + +subnets = [ + "subnet-00b7920342b4c41f3" +] + +security_groups = [ + "sg-00329ba6018f916b2" +] + +certs = { + bucket = "image-pipeline-assets-220615867784-us-gov-west-1" + key = "katello-server-ca.pem" +} + diff --git a/variables.tf b/variables.tf index abb1f06..1baaf47 100644 --- a/variables.tf +++ b/variables.tf @@ -92,6 +92,6 @@ variable "base_url" { default = "https://github.e.it.census.gov/" } -variable aws_account { +variable "aws_account" { type = string }