From a1fe4a4157a733528a750ea4089559a18e98e863 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 6 May 2025 21:59:57 -0400 Subject: [PATCH] move buildspecs to buildspecs dir --- .github/platform-tg-infra.code-workspace | 10 ++ .github/workflows/package-and-upload.yml | 120 ++++++++++++++++++ Makefile | 57 ++++++++- buildspecs/deploy.terragrunt.yml | 72 +++++++++++ buildspecs/security.yml | 40 ++++++ buildspecs/terragrunt.yml | 72 +++++++++++ lab/_envcommon/default-versions.hcl | 2 + .../eks-pipeline/terragrunt.hcl | 95 ++++++++++++++ .../csvd-platform-lab-mcm/eks/terragrunt.hcl | 6 + scripts/import-s3-bucket.sh | 25 ++++ 10 files changed, 498 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/package-and-upload.yml create mode 100644 buildspecs/deploy.terragrunt.yml create mode 100644 buildspecs/security.yml create mode 100644 buildspecs/terragrunt.yml create mode 100644 lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl create mode 100644 scripts/import-s3-bucket.sh diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 23f62eb0..d06d1f14 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -80,6 +80,10 @@ "name": "tfmod-open-telemetry", "path": "../../tfmod-open-telemetry" }, + { + "name": "tfmod-pipeline", + "path": "../../tfmod-pipeline" + }, { "name": "tfmod-prometheus", "path": "../../tfmod-prometheus" @@ -91,6 +95,12 @@ { "name": "tfmod-tempo", "path": "../../tfmod-tempo" + }, + { + "path": "../../243219719746-lab-gov-management-nonprod" + }, + { + "path": "../../../terraform-modules/aws-s3" } ] } diff --git a/.github/workflows/package-and-upload.yml b/.github/workflows/package-and-upload.yml new file mode 100644 index 00000000..99603664 --- /dev/null +++ b/.github/workflows/package-and-upload.yml @@ -0,0 +1,120 @@ +name: Package and Upload Terragrunt Configs + +on: + push: + branches: [main] + workflow_dispatch: + inputs: + bootstrap: + description: 'Run bootstrap apply' + required: false + default: 'false' + type: choice + options: + - 'true' + - 'false' + +env: + NODE_TLS_REJECT_UNAUTHORIZED: '0' + ACCOUNT_PROFILE_NAME: "lab-dev-gov" + CLUSTER_NAME: "csvd-platform-lab-mcm" + SOURCE_KEY: "platform-tg-infra.zip" + PIPELINE_PATH: "lab/development/us-gov-east-1/vpc/${CLUSTER_NAME}/eks-pipeline" + +permissions: + actions: read + contents: read + id-token: write + +jobs: + package-and-upload: + runs-on: [self-hosted, Linux, X64, buildkitsandbox] + steps: + - name: Checkout code + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Configure AWS credentials + uses: etools/configure-aws-credentials@main + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks" + role-skip-session-tagging: true + + - name: Add profile credentials to ~/.aws/credentials + run: | + aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + + - name: Package Terragrunt configs + run: | + # Create a zip file of the repository contents + zip -r platform-tg-infra.zip . -x "*.git*" "*.github*" "*.terragrunt-cache*" "*.terraform*" + + # Calculate bucket name using the same format as in tfmod-pipeline/s3.tf + REGION_SHORT=$(echo ${{ vars.AWS_REGION }} | sed 's/\([a-z]\)[a-z]*-/\1/g') + SOURCE_BUCKET="inf-s3-${CLUSTER_NAME}-artifacts-${{ vars.AWS_ACCOUNT_ID }}-${REGION_SHORT}" + echo "SOURCE_BUCKET=${SOURCE_BUCKET}" >> $GITHUB_ENV + + # Calculate the object key with the cluster-specific path + OBJECT_KEY="clusters/${CLUSTER_NAME}/platform-tg-infra.zip" + echo "OBJECT_KEY=${OBJECT_KEY}" >> $GITHUB_ENV + + # Check if the source bucket exists, create it if it doesn't + if ! aws s3api head-bucket --bucket ${SOURCE_BUCKET} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" 2>/dev/null; then + echo "Creating source bucket ${SOURCE_BUCKET}" + aws s3 mb s3://${SOURCE_BUCKET} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" --region ${{ vars.AWS_REGION }} + + # Configure bucket for versioning + aws s3api put-bucket-versioning --bucket ${SOURCE_BUCKET} \ + --versioning-configuration Status=Enabled \ + --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + + # Block public access + aws s3api put-public-access-block --bucket ${SOURCE_BUCKET} \ + --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true \ + --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + + # Create a flag file to indicate the bucket needs to be imported + echo "BUCKET_NEEDS_IMPORT=true" >> $GITHUB_ENV + else + echo "Bucket ${SOURCE_BUCKET} already exists" + fi + + # Upload the zip file to S3 + aws s3 cp platform-tg-infra.zip s3://${SOURCE_BUCKET}/${OBJECT_KEY} \ + --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + + echo "Uploaded platform-tg-infra.zip to s3://${SOURCE_BUCKET}/${OBJECT_KEY}" + + - name: Make Import Script Executable + if: ${{ github.event.inputs.bootstrap == 'true' && env.BUCKET_NEEDS_IMPORT == 'true' }} + run: | + chmod +x scripts/import-s3-bucket.sh + + - name: Bootstrap Pipeline (if requested) + if: ${{ github.event.inputs.bootstrap == 'true' }} + run: | + # If the bucket was just created, import it first + if [ "$BUCKET_NEEDS_IMPORT" = "true" ]; then + echo "Running import for newly created bucket $SOURCE_BUCKET" + ./scripts/import-s3-bucket.sh \ + "$SOURCE_BUCKET" \ + "${{ vars.AWS_REGION }}" \ + "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" \ + "$PIPELINE_PATH" + fi + + # Now proceed with terragrunt apply + cd $PIPELINE_PATH + https_proxy=http://proxy.tco.census.gov:3128 \ + http_proxy=http://proxy.tco.census.gov:3128 \ + NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \ + TERRAGRUNT_PROVIDER_CACHE=1 \ + terragrunt apply --terragrunt-non-interactive -auto-approve + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/Makefile b/Makefile index fc196a2c..c55b7d5f 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: help init validate plan fmt check clean +.PHONY: help init validate plan fmt check clean deploy-to-pipeline help: @echo "Available targets:" @@ -8,6 +8,7 @@ help: @echo " fmt - Format HCL files" @echo " check - Run all checks (format, validate, plan)" @echo " clean - Clean up Terragrunt cache and temporary files" + @echo " deploy-to-pipeline - Zip and upload to S3 to trigger CodePipeline" init: @echo "Initializing Terragrunt configurations..." @@ -33,3 +34,57 @@ clean: find . -type d -name ".terragrunt-cache" -exec rm -rf {} + find . -type f -name ".terraform.lock.hcl" -delete find . -type f -name "terragrunt-debug.tfvars.json" -delete + +deploy-to-pipeline: + @echo "Preparing to deploy to pipeline..." + @echo "Detecting environment configuration..." + + # Set defaults or use provided values + $(eval ENV ?= development) + $(eval REGION_DIR ?= us-gov-east-1) + $(eval CLUSTER_DIR ?= csvd-platform-lab-mcm) + + # Detect account variables + $(eval ACCOUNT_HCL=lab/$(ENV)/account.hcl) + $(eval REGION_HCL=lab/$(ENV)/$(REGION_DIR)/region.hcl) + $(eval CLUSTER_HCL=lab/$(ENV)/$(REGION_DIR)/vpc/$(CLUSTER_DIR)/cluster.hcl) + + @if [ ! -f "$(ACCOUNT_HCL)" ]; then echo "Error: $(ACCOUNT_HCL) not found"; exit 1; fi + @if [ ! -f "$(REGION_HCL)" ]; then echo "Error: $(REGION_HCL) not found"; exit 1; fi + @if [ ! -f "$(CLUSTER_HCL)" ]; then echo "Error: $(CLUSTER_HCL) not found"; exit 1; fi + + @echo "Extracting configuration values..." + # Extract values from HCL files + $(eval AWS_ACCOUNT_ID=$(shell grep -oP 'aws_account_id\s*=\s*"\K[^"]+' $(ACCOUNT_HCL))) + $(eval ACCOUNT_NAME=$(shell grep -oP 'account_name\s*=\s*"\K[^"]+' $(ACCOUNT_HCL))) + $(eval AWS_PROFILE=$(shell echo $(AWS_ACCOUNT_ID)-$(shell echo $(ACCOUNT_NAME) | sed 's/-ew/-gov/'))) + $(eval AWS_REGION=$(shell grep -oP 'aws_region\s*=\s*"\K[^"]+' $(REGION_HCL))) + $(eval CLUSTER_NAME=$(shell grep -oP 'cluster_name\s*=\s*"\K[^"]+' $(CLUSTER_HCL))) + + @echo "Using configuration:" + @echo " AWS_ACCOUNT_ID: $(AWS_ACCOUNT_ID)" + @echo " ACCOUNT_NAME: $(ACCOUNT_NAME)" + @echo " AWS_PROFILE: $(AWS_PROFILE)" + @echo " AWS_REGION: $(AWS_REGION)" + @echo " CLUSTER_NAME: $(CLUSTER_NAME)" + + @if [ -z "$(AWS_ACCOUNT_ID)" ] || [ -z "$(AWS_PROFILE)" ] || [ -z "$(AWS_REGION)" ] || [ -z "$(CLUSTER_NAME)" ]; then \ + echo "Error: Failed to extract all required variables from HCL files"; \ + exit 1; \ + fi + + @echo "Creating zip file..." + zip -r platform-tg-infra.zip . -x "*.git*" "*.github*" "*.terragrunt-cache*" "*.terraform*" + + @echo "Calculating S3 bucket name..." + $(eval REGION_SHORT=$(shell echo $(AWS_REGION) | sed 's/\([a-z]\)[a-z]*-/\1/g')) + $(eval S3_BUCKET=v-s3-eks-$(CLUSTER_NAME)-artifacts-$(AWS_ACCOUNT_ID)-$(REGION_SHORT)) + $(eval OBJECT_KEY=clusters/$(CLUSTER_NAME)/platform-tg-infra.zip) + + @echo "Uploading to S3 bucket $(S3_BUCKET)..." + aws s3 cp platform-tg-infra.zip s3://$(S3_BUCKET)/$(OBJECT_KEY) --profile $(AWS_PROFILE) + @echo "Upload complete. Pipeline should trigger automatically." + @echo "Check the AWS CodePipeline console for status." + + @echo "Cleaning up local zip file..." + rm -f platform-tg-infra.zip diff --git a/buildspecs/deploy.terragrunt.yml b/buildspecs/deploy.terragrunt.yml new file mode 100644 index 00000000..3225894b --- /dev/null +++ b/buildspecs/deploy.terragrunt.yml @@ -0,0 +1,72 @@ +version: 0.2 + +env: + variables: + BASE_DIR: "lab" + TF_VERSION: "1.5.5" + TG_VERSION: "0.72.0" + TOOLS_DIR: "/tmp/build-tools" + exported-variables: + - TERRAGRUNT_PATH + +cache: + paths: + - '/tmp/build-tools/**/*' + +phases: + install: + runtime-versions: + python: 3.11 + commands: + - echo "Setting up environment and tools" + - export http_proxy=$PROXY_CONFIG + - export https_proxy=$PROXY_CONFIG + - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev + + # Create tools directory if it doesn't exist + - mkdir -p $TOOLS_DIR/bin + + # Check if cached Terraform exists and matches required version + - | + if [ -f "$TOOLS_DIR/bin/terraform" ] && [ "$($TOOLS_DIR/bin/terraform version | head -n1 | grep -o "v$TF_VERSION")" = "v$TF_VERSION" ]; then + echo "Using cached Terraform v$TF_VERSION" + else + echo "Downloading Terraform v$TF_VERSION" + curl -Lo /tmp/terraform.zip "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip" + unzip -o /tmp/terraform.zip -d $TOOLS_DIR/bin/ + chmod +x $TOOLS_DIR/bin/terraform + fi + + # Check if cached Terragrunt exists and matches required version + - | + if [ -f "$TOOLS_DIR/bin/terragrunt" ] && [ "$($TOOLS_DIR/bin/terragrunt --version | grep -o "v$TG_VERSION")" = "v$TG_VERSION" ]; then + echo "Using cached Terragrunt v$TG_VERSION" + else + echo "Downloading Terragrunt v$TG_VERSION" + curl -Lo $TOOLS_DIR/bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64" + chmod +x $TOOLS_DIR/bin/terragrunt + fi + + # Add tools to PATH + - export PATH=$TOOLS_DIR/bin:$PATH + - terraform --version + - terragrunt --version + - aws sts get-caller-identity + + build: + commands: + - echo "Running Terragrunt apply" + - cd $TERRAGRUNT_PATH + - export http_proxy=$PROXY_CONFIG + - export https_proxy=$PROXY_CONFIG + - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev + - terragrunt run-all apply --terragrunt-non-interactive -auto-approve + + post_build: + commands: + - echo "Terragrunt apply completed on `date`" + +artifacts: + files: + - '**/*' + base-directory: '.' diff --git a/buildspecs/security.yml b/buildspecs/security.yml new file mode 100644 index 00000000..37a42cf1 --- /dev/null +++ b/buildspecs/security.yml @@ -0,0 +1,40 @@ +version: 0.2 + +env: + variables: + TOOLS_DIR: "/tmp/build-tools" + +cache: + paths: + - '/tmp/build-tools/**/*' + +phases: + install: + runtime-versions: + python: 3.9 + commands: + - echo "Setting up security scanning tools" + - export http_proxy=$PROXY_CONFIG + - export https_proxy=$PROXY_CONFIG + - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev + + # Install security scanning tools + - mkdir -p $TOOLS_DIR/bin + - pip install checkov -q + - pip install tfsec -q + + build: + commands: + - echo "Running security scans" + - checkov --directory . --framework terraform --quiet --compact + - checkov --directory . --framework terragrunt --quiet --compact + - tfsec . --no-color + + post_build: + commands: + - echo "Security scan completed on `date`" + +artifacts: + files: + - '**/*' + base-directory: '.' diff --git a/buildspecs/terragrunt.yml b/buildspecs/terragrunt.yml new file mode 100644 index 00000000..7f269e75 --- /dev/null +++ b/buildspecs/terragrunt.yml @@ -0,0 +1,72 @@ +version: 0.2 + +env: + variables: + BASE_DIR: "lab" + TF_VERSION: "1.5.5" + TG_VERSION: "0.72.0" + TOOLS_DIR: "/tmp/build-tools" + exported-variables: + - TERRAGRUNT_PATH + +cache: + paths: + - '/tmp/build-tools/**/*' + +phases: + install: + runtime-versions: + python: 3.11 + commands: + - echo "Setting up environment and tools" + - export http_proxy=$PROXY_CONFIG + - export https_proxy=$PROXY_CONFIG + - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev + + # Create tools directory if it doesn't exist + - mkdir -p $TOOLS_DIR/bin + + # Check if cached Terraform exists and matches required version + - | + if [ -f "$TOOLS_DIR/bin/terraform" ] && [ "$($TOOLS_DIR/bin/terraform version | head -n1 | grep -o "v$TF_VERSION")" = "v$TF_VERSION" ]; then + echo "Using cached Terraform v$TF_VERSION" + else + echo "Downloading Terraform v$TF_VERSION" + curl -Lo /tmp/terraform.zip "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip" + unzip -o /tmp/terraform.zip -d $TOOLS_DIR/bin/ + chmod +x $TOOLS_DIR/bin/terraform + fi + + # Check if cached Terragrunt exists and matches required version + - | + if [ -f "$TOOLS_DIR/bin/terragrunt" ] && [ "$($TOOLS_DIR/bin/terragrunt --version | grep -o "v$TG_VERSION")" = "v$TG_VERSION" ]; then + echo "Using cached Terragrunt v$TG_VERSION" + else + echo "Downloading Terragrunt v$TG_VERSION" + curl -Lo $TOOLS_DIR/bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64" + chmod +x $TOOLS_DIR/bin/terragrunt + fi + + # Add tools to PATH + - export PATH=$TOOLS_DIR/bin:$PATH + - terraform --version + - terragrunt --version + - aws sts get-caller-identity + + build: + commands: + - echo "Running Terragrunt plan" + - cd $TERRAGRUNT_PATH + - export http_proxy=$PROXY_CONFIG + - export https_proxy=$PROXY_CONFIG + - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev + - terragrunt run-all plan --terragrunt-non-interactive + + post_build: + commands: + - echo "Terragrunt plan completed on `date`" + +artifacts: + files: + - '**/*' + base-directory: '.' diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 274aea2f..7f6fcc67 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -29,6 +29,7 @@ locals { "eks-loki" = "0.1.3" "eks-metrics-server" = "0.1.3" "eks-otel" = "0.0.2" + "eks-pipeline" = "initial" "eks-postgresql" = false "eks-prometheus" = "0.1.3" "eks-tempo" = "0.1.3" @@ -62,6 +63,7 @@ locals { "eks-kiali" = true "eks-loki" = true "eks-otel" = true + "eks-pipeline" = true "eks-postgresql" = false "eks-prometheus" = true "eks-tempo" = true diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl new file mode 100644 index 00000000..85a2765d --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -0,0 +1,95 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +inputs = { + account_id = include.root.inputs.aws_account_id + cluster_name = include.root.inputs.cluster_name + environment = include.root.inputs.environment_abbr + region = include.root.inputs.aws_region + + # VPC Configuration + vpc_name = include.root.inputs.vpc_name + subnet_filter = "*-container-*" # or any specific pattern you want to use + + # Pipeline specific configurations + name = format("%v-pipeline", include.root.inputs.cluster_name) + + # The bucket name must match exactly what's created in the GitHub Action + source_configuration = { + provider = "S3" + s3_config = { + bucket = format("v-s3-eks-%v-artifacts-%v-%v", + include.root.inputs.cluster_name, + include.root.inputs.aws_account_id, + join("", [for c in split("-", include.root.inputs.aws_region) : substr(c, 0, 1)])) + object_key = format("clusters/%v/platform-tg-infra.zip", include.root.inputs.cluster_name) + } + } + + is_infrastructure_pipeline = true + + # Updated to use buildspecs from the platform-tg-infra repository + buildspec_template_path = "buildspecs" + + build_configuration = { + compute_type = "BUILD_GENERAL1_MEDIUM" + image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" + buildspec_path = "terragrunt.yml" + privileged_mode = true + environment_variables = { + TERRAGRUNT_PATH = "lab/development/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" + REGION = include.root.inputs.aws_region + ENVIRONMENT = include.root.inputs.environment_abbr + AWS_ACCOUNT_ID = include.root.inputs.aws_account_id + PROXY_CONFIG = "http://proxy.tco.census.gov:3128" + } + } + + security_scan_configuration = { + compute_type = "BUILD_GENERAL1_MEDIUM" + image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" + buildspec_path = "security.yml" + } + + approval_configuration = { + enabled = true + notify_emails = [include.root.inputs.cluster_mailing_list] + custom_message = "Please review and approve infrastructure changes to the CSVD platform" + } + + deployment_configuration = { + target_type = "Build" + compute_type = "BUILD_GENERAL1_MEDIUM" + image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" + buildspec_path = "deploy.terragrunt.yml" + environment_variables = { + TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" + REGION = include.root.inputs.aws_region + ENVIRONMENT = include.root.inputs.environment_abbr + AWS_ACCOUNT_ID = include.root.inputs.aws_account_id + PROXY_CONFIG = "http://proxy.tco.census.gov:3128" + } + } +} diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl index e98f4cb8..13ed5d01 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl @@ -24,6 +24,12 @@ terraform { } } +dependencies { + paths = [ + "../eks-pipeline", + ] +} + inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id diff --git a/scripts/import-s3-bucket.sh b/scripts/import-s3-bucket.sh new file mode 100644 index 00000000..7d55d1c3 --- /dev/null +++ b/scripts/import-s3-bucket.sh @@ -0,0 +1,25 @@ +#!/bin/bash +set -e + +# Parameters +BUCKET_NAME=$1 +AWS_REGION=$2 +AWS_PROFILE=$3 +MODULE_PATH=$4 + +if [ -z "$BUCKET_NAME" ] || [ -z "$AWS_REGION" ] || [ -z "$AWS_PROFILE" ] || [ -z "$MODULE_PATH" ]; then + echo "Usage: $0 " + echo "Example: $0 inf-s3-my-cluster-artifacts-123456789012-usge us-gov-east-1 123456789012-lab-dev-gov lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/pipeline" + exit 1 +fi + +echo "Importing S3 bucket ${BUCKET_NAME} into Terraform state..." + +cd "${MODULE_PATH}" + +# Initialize Terraform +terragrunt init + +# Import the S3 bucket to Terraform state using module references +terragrunt import module.codepipeline_s3.aws_s3_bucket.this "${BUCKET_NAME}" +echo "✅ Successfully imported S3 bucket ${BUCKET_NAME}"