feat: staging environment (#182)

* feat: staging environment * chore: use right account id * chore: remove scan queue for later * chore: remove from matrix * chore: apply workflow * fix: use correct secret * chore: remove condition * chore: override defaults for integration test module * chore: typo * chore: bump and removed unused input
cds-snc · Jul 12, 2022 · 2c8b4be · 2c8b4be
1 parent 568935b
commit 2c8b4be
Show file tree

Hide file tree

Showing 20 changed files with 789 additions and 14 deletions.
diff --git a/.github/workflows/tf_apply_staging.yml b/.github/workflows/tf_apply_staging.yml
@@ -0,0 +1,93 @@
+name: "Terraform apply staging"
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "terragrunt/**"
+      - ".github/workflows/tf_apply_staging.yml"
+
+env:
+  TERRAFORM_VERSION: 1.0.3
+  TERRAGRUNT_VERSION: 0.38.4
+  TF_VAR_api_auth_token: ${{ secrets.STAGING_API_AUTH_TOKEN }}
+  TF_VAR_aws_org_id: ${{ secrets.STAGING_AWS_ORG_ID }}
+  TF_VAR_rds_password: ${{ secrets.STAGING_RDS_PASSWORD }}
+  TF_VAR_slack_webhook_url: ${{ secrets.SCAN_FILES_STAGING_OPS_WEBHOOK }}
+  AWS_REGION: ca-central-1
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+  actions: write
+  checks: write
+  statuses: write
+
+jobs:
+  terragrunt-apply:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: setup terraform tools
+        uses: cds-snc/terraform-tools-setup@v1
+
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # tag=v2.10.2
+        id: filter
+        with:
+          filters: |
+            alarms:
+              - 'terragrunt/aws/alarms/**'
+              - 'terragrunt/env/staging/alarms/**'
+            api:
+              - 'terragrunt/aws/api/**'
+              - 'terragrunt/env/staging/api/**'
+            hosted_zone:
+              - 'terragrunt/aws/hosted_zone/**'
+              - 'terragrunt/env/staging/hosted_zone/**'
+            integration_test:
+              - 'terragrunt/aws/integration_test/**'
+              - 'terragrunt/env/staging/integration_test/**'
+            s3_scan_object:
+              - 'terragrunt/aws/s3_scan_object/**'
+              - 'terragrunt/env/staging/s3_scan_object/**'
+
+      - name: configure aws credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@05b148adc31e091bafbaf404f745055d4d3bc9d2 # tag=v1.6.1
+        with:
+          role-to-assume: arn:aws:iam::127893201980:role/OIDCGithubWorkflowRole
+          role-session-name: TFApply
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Apply hosted_zone
+        if: ${{ steps.filter.outputs.hosted_zone == 'true' }}
+        working-directory: terragrunt/env/staging/hosted_zone
+        run: |
+          terragrunt apply --terragrunt-non-interactive -auto-approve
+
+      - name: Apply integration_test
+        if: ${{ steps.filter.outputs.integration_test == 'true' }}
+        working-directory: terragrunt/env/staging/integration_test
+        run: |
+          terragrunt apply --terragrunt-non-interactive -auto-approve
+
+      - name: Apply api
+        if: ${{ steps.filter.outputs.api == 'true' }}
+        working-directory: terragrunt/env/staging/api
+        run: |
+          terragrunt apply --terragrunt-non-interactive -auto-approve
+
+      - name: Apply s3_scan_object
+        if: ${{ steps.filter.outputs.s3_scan_object == 'true' }}
+        working-directory: terragrunt/env/staging/s3_scan_object
+        run: |
+          terragrunt apply --terragrunt-non-interactive -auto-approve
+
+      - name: Apply alarms
+        if: ${{ steps.filter.outputs.alarms == 'true' }}
+        working-directory: terragrunt/env/staging/alarms
+        run: |
+          terragrunt apply --terragrunt-non-interactive -auto-approve
diff --git a/.github/workflows/tf_plan_staging.yml b/.github/workflows/tf_plan_staging.yml
@@ -0,0 +1,60 @@
+name: "Terraform plan staging"
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - "terragrunt/**"
+      - ".github/workflows/tf_plan_staging.yml"
+env:
+  AWS_REGION: ca-central-1
+  TERRAFORM_VERSION: 1.0.3
+  TERRAGRUNT_VERSION: 0.38.4
+  CONFTEST_VERSION: 0.27.0
+  TF_VAR_api_auth_token: ${{ secrets.STAGING_API_AUTH_TOKEN }}
+  TF_VAR_aws_org_id: ${{ secrets.STAGING_AWS_ORG_ID }}
+  TF_VAR_rds_password: ${{ secrets.STAGING_RDS_PASSWORD }}
+  TF_VAR_slack_webhook_url: ${{ secrets.SCAN_FILES_STAGING_OPS_WEBHOOK }}
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+  actions: write
+  checks: write
+  statuses: write
+
+jobs:
+  terraform-plan:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - module: alarms
+          - module: api
+          - module: hosted_zone
+          - module: integration_test
+          - module: s3_scan_object
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: setup terraform tools
+        uses: cds-snc/terraform-tools-setup@v1
+
+      - name: configure aws credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@05b148adc31e091bafbaf404f745055d4d3bc9d2 # tag=v1.6.1
+        with:
+          role-to-assume: arn:aws:iam::127893201980:role/OIDCGithubWorkflowRole
+          role-session-name: TFPlan
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Terraform plan
+        uses: cds-snc/terraform-plan@dce0ba2ac808e5c2b3499c8073adef25aaa559f3 # tag=v2.0.8
+        with:
+          comment-delete: true
+          comment-title: Staging Plan for ${{ matrix.module }}
+          directory: ./terragrunt/env/staging/${{ matrix.module }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          terragrunt: true
diff --git a/terragrunt/aws/api/inputs.tf b/terragrunt/aws/api/inputs.tf
@@ -27,3 +27,7 @@ variable "scan_queue_statemachine_name" {
 variable "hosted_zone_id" {
   type = string
 }
+
+variable "oidc_exists" {
+  type = bool
+}
diff --git a/terragrunt/aws/api/oidc_iam.tf b/terragrunt/aws/api/oidc_iam.tf
@@ -12,7 +12,7 @@ module "gh_oidc_roles" {
       claim     = "*"
     }
   ]
-  oidc_exists       = false
+  oidc_exists       = var.oidc_exists
   billing_tag_value = var.billing_code
 
 }

diff --git a/terragrunt/aws/integration_test/s3_scan_object.tf b/terragrunt/aws/integration_test/s3_scan_object.tf
@@ -1,8 +1,11 @@
 module "integration_test" {
-  source = "github.com/cds-snc/terraform-modules?ref=v3.0.9//S3_scan_object"
+  source = "github.com/cds-snc/terraform-modules?ref=v3.0.10//S3_scan_object"
 
-  product_name          = "integration-test"
-  s3_upload_bucket_name = module.integration_test_bucket.s3_bucket_id
+  product_name                = "integration-test"
+  s3_upload_bucket_name       = module.integration_test_bucket.s3_bucket_id
+  scan_files_role_arn         = "arn:aws:iam::${var.account_id}:role/scan-files-api"
+  s3_scan_object_function_arn = "arn:aws:lambda:ca-central-1:${var.account_id}:function:s3-scan-object"
+  s3_scan_object_role_arn     = "arn:aws:iam::${var.account_id}:role/s3-scan-object"
 
   billing_tag_value = var.billing_code
 }

diff --git a/terragrunt/env/backend.tf b/terragrunt/env/backend.tf
diff --git a/terragrunt/env/production/api/terragrunt.hcl b/terragrunt/env/production/api/terragrunt.hcl
@@ -19,6 +19,7 @@ dependency "hosted_zone" {
 inputs = {
   rds_username   = "databaseuser"
   hosted_zone_id = dependency.hosted_zone.outputs.hosted_zone_id
+  oidc_exists    = false
 }
 
 include {

diff --git a/terragrunt/env/staging/alarms/terragrunt.hcl b/terragrunt/env/staging/alarms/terragrunt.hcl
@@ -0,0 +1,25 @@
+terraform {
+  source = "../../../aws//alarms"
+}
+
+dependencies {
+  paths = ["../api"]
+}
+
+dependency "api" {
+  config_path = "../api"
+
+  mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
+  mock_outputs_merge_strategy_with_state  = "shallow"
+  mock_outputs = {
+    route53_health_check_api_id = ""
+  }
+}
+
+inputs = {
+  route53_health_check_api_id = dependency.api.outputs.route53_health_check_api_id
+}
+
+include {
+  path = find_in_parent_folders()
+}
diff --git a/terragrunt/env/staging/api/.terraform.lock.hcl b/terragrunt/env/staging/api/.terraform.lock.hcl
diff --git a/terragrunt/env/staging/api/terragrunt.hcl b/terragrunt/env/staging/api/terragrunt.hcl
@@ -0,0 +1,27 @@
+terraform {
+  source = "../../../aws//api"
+}
+
+dependencies {
+  paths = ["../hosted_zone"]
+}
+
+dependency "hosted_zone" {
+  config_path = "../hosted_zone"
+
+  mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
+  mock_outputs_merge_strategy_with_state  = "shallow"
+  mock_outputs = {
+    hosted_zone_id = ""
+  }
+}
+
+inputs = {
+  rds_username   = "databaseuser"
+  hosted_zone_id = dependency.hosted_zone.outputs.hosted_zone_id
+  oidc_exists    = true
+}
+
+include {
+  path = find_in_parent_folders()
+}
diff --git a/terragrunt/env/staging/env_vars.hcl b/terragrunt/env/staging/env_vars.hcl
@@ -0,0 +1,6 @@
+inputs = {
+  account_id       = "127893201980"
+  env              = "staging"
+  cost_center_code = "scan-files-staging"
+  domain           = "scan-files.cdssandbox.xyz"
+}
diff --git a/terragrunt/env/staging/hosted_zone/.terraform.lock.hcl b/terragrunt/env/staging/hosted_zone/.terraform.lock.hcl
diff --git a/terragrunt/env/staging/hosted_zone/terragrunt.hcl b/terragrunt/env/staging/hosted_zone/terragrunt.hcl
@@ -0,0 +1,7 @@
+terraform {
+  source = "../../../aws//hosted_zone"
+}
+
+include {
+  path = find_in_parent_folders()
+}
diff --git a/terragrunt/env/staging/integration_test/terragrunt.hcl b/terragrunt/env/staging/integration_test/terragrunt.hcl
@@ -0,0 +1,7 @@
+terraform {
+  source = "../../../aws//integration_test"
+}
+
+include {
+  path = find_in_parent_folders()
+}
diff --git a/terragrunt/env/staging/s3_scan_object/.terraform.lock.hcl b/terragrunt/env/staging/s3_scan_object/.terraform.lock.hcl