HHS · devops-chris · Jan 4, 2024 · Dec 11, 2023 · Dec 11, 2023 · Dec 11, 2023
diff --git a/.github/actions/tf-apply/action.yaml b/.github/actions/tf-apply/action.yaml
@@ -0,0 +1,121 @@
+name: 'Terraform setup and apply'
+description: 'Setup Terraform and applies Terraform config'
+inputs:
+  terraform_directory:
+    description: 'Directory that holds Terraform code'
+    required: true
+  azure_client_id: 
+    description: 'Azure client id'
+    required: true
+  azure_client_secret: 
+    description: 'Azure client secret'
+    required: true
+  azure_subscription_id:
+    description: 'Azure subscription id'
+    required: true
+  azure_tenant_id:
+    description: 'Azure tenant id'
+    required: true
+  terraform_version: 
+    description: 'Terraform Version'
+    required: true
+    default: 1.5.7
+  github_token: 
+    description: 'GitHub token for auth'
+    required: true
+  pr_id:
+    description: 'Pull request ID'
+    required: false
+  tf_vars: 
+    description: 'A map of variable inputs for Terraform'
+    required: false
+  plan_workflow_file:
+    description: 'Filename of workflow containing the tf plan artifact.'
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Get last directory name
+      id: get-tf-dir
+      run: |
+        tf_dir=$(echo ${{ inputs.terraform_directory }} | rev | cut -d'/' -f1 | rev)
+        echo "tf_dir=$tf_dir" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Set Terraform Variables
+      run: |
+        if [[ -n "${INPUT_TF_VARS}" ]]; then
+          for key in $(echo "${INPUT_TF_VARS}" | jq -r 'keys[]'); do
+            value=$(echo "${INPUT_TF_VARS}" | jq -r ".$key")
+
+            echo "TF_VAR_${key// /}=${value}" >> $GITHUB_ENV
+
+            # Print debug statement
+            echo "Exported TF_VAR_${key// /}=${value}"
+          done
+        fi
+      shell: bash
+      env:
+        INPUT_TF_VARS: ${{ inputs.tf_vars }}
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 #v3.0.0
+      with:
+        terraform_version: ${{ inputs.terraform_version }}
+        terraform_wrapper: false
+
+    - name: Terraform Init
+      id: init
+      working-directory: ${{ inputs.terraform_directory }}
+      shell: bash
+      env:
+        ARM_CLIENT_ID: ${{ inputs.azure_client_id }}
+        ARM_CLIENT_SECRET: ${{ inputs.azure_client_secret }}
+        ARM_SUBSCRIPTION_ID: ${{ inputs.azure_subscription_id }}
+        ARM_TENANT_ID: ${{ inputs.azure_tenant_id }}
+      run: |
+        terraform init  
+
+    - name: Download Plan
+      id: download-plan
+      if: ${{ inputs.plan_workflow_file != '' }}
+      uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d #v3.0.0
+      with:
+        github_token: ${{ inputs.github_token }}
+        workflow: ${{ inputs.plan_workflow_file }}
+        pr: ${{ inputs.pr_id }}
+        name: ${{ inputs.pr_id }}-${{ steps.get-tf-dir.outputs.tf_dir }}-tf-plan
+        path: ${{ inputs.terraform_directory }}
+
+    - name: Terraform Apply
+      id: apply
+      working-directory: ${{ inputs.terraform_directory }}
+      shell: bash
+      env:
+        ARM_CLIENT_ID: ${{ inputs.azure_client_id }}
+        ARM_CLIENT_SECRET: ${{ inputs.azure_client_secret }}
+        ARM_SUBSCRIPTION_ID: ${{ inputs.azure_subscription_id }}
+        ARM_TENANT_ID: ${{ inputs.azure_tenant_id }}
+      run: |
+        echo 'apply<<EOF' >> $GITHUB_OUTPUT
+        if [ -f "tfplan" ]; then
+          terraform apply -input=false -no-color tfplan >> $GITHUB_OUTPUT
+        else
+          terraform apply -auto-approve -input=false -no-color >> $GITHUB_OUTPUT
+        fi
+        echo 'EOF' >> $GITHUB_OUTPUT
+
+    - name: Comment Apply
+      id: comment-apply
+      if: ${{ inputs.pr_id != '' }}
+      uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 #v3.1.0
+      with:
+        token: ${{ inputs.github_token }}
+        issue-number: ${{ inputs.pr_id }}
+        body: |
+          Terraform Apply for for ${{ inputs.terraform_directory }}:
+
+          ```
+          ${{ steps.apply.outputs.apply }}
+          ```
diff --git a/.github/actions/tf-plan/action.yaml b/.github/actions/tf-plan/action.yaml
@@ -0,0 +1,111 @@
+name: 'Terraform setup and plan'
+description: 'Setup Terraform and creates plan'
+inputs:
+  terraform_directory:
+    description: 'Directory that holds Terraform code'
+    required: true
+  azure_client_id: 
+    description: 'Azure client id'
+    required: true
+  azure_client_secret: 
+    description: 'Azure client secret'
+    required: true
+  azure_subscription_id:
+    description: 'Azure subscription id'
+    required: true
+  azure_tenant_id:
+    description: 'Azure tenant id'
+    required: true
+  terraform_version: 
+    description: 'Terraform Version'
+    required: true
+    default: 1.5.7
+  github_token: 
+    description: 'GitHub token for auth'
+    required: true
+  pr_id:
+    description: 'Pull request ID'
+    required: true
+  tf_vars: 
+    description: 'A map of variable inputs for Terraform'
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Get last directory name
+      id: get-tf-dir
+      run: |
+        tf_dir=$(echo ${{ inputs.terraform_directory }} | rev | cut -d'/' -f1 | rev)
+        echo "tf_dir=$tf_dir" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Set Terraform Variables
+      run: |
+        if [[ -n "${INPUT_TF_VARS}" ]]; then
+          for key in $(echo "${INPUT_TF_VARS}" | jq -r 'keys[]'); do
+            value=$(echo "${INPUT_TF_VARS}" | jq -r ".$key")
+
+            echo "TF_VAR_${key// /}=${value}" >> $GITHUB_ENV
+
+            # Print debug statement
+            echo "Exported TF_VAR_${key// /}=${value}"
+          done
+        fi
+      shell: bash
+      env:
+        INPUT_TF_VARS: ${{ inputs.tf_vars }}
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 #v3.0.0
+      with:
+        terraform_version: ${{ inputs.terraform_version }}
+        terraform_wrapper: false
+
+    - name: Terraform Init
+      id: init
+      working-directory: ${{ inputs.terraform_directory }}
+      shell: bash
+      env:
+        ARM_CLIENT_ID: ${{ inputs.azure_client_id }}
+        ARM_CLIENT_SECRET: ${{ inputs.azure_client_secret }}
+        ARM_SUBSCRIPTION_ID: ${{ inputs.azure_subscription_id }}
+        ARM_TENANT_ID: ${{ inputs.azure_tenant_id }}
+      run: |
+        terraform init
+
+    - name: Terraform Plan
+      id: plan
+      working-directory: ${{ inputs.terraform_directory }}
+      shell: bash
+      env:
+        ARM_CLIENT_ID: ${{ inputs.azure_client_id }}
+        ARM_CLIENT_SECRET: ${{ inputs.azure_client_secret }}
+        ARM_SUBSCRIPTION_ID: ${{ inputs.azure_subscription_id }}
+        ARM_TENANT_ID: ${{ inputs.azure_tenant_id }}
+      run: |
+        echo 'plan<<EOF' >> $GITHUB_OUTPUT
+        terraform plan -no-color -out=tfplan >> $GITHUB_OUTPUT
+        echo 'EOF' >> $GITHUB_OUTPUT
+
+    - name: Save Artifact
+      id: save-artifact
+      uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 #v4.0.0
+      with:
+        name: ${{ inputs.pr_id }}-${{ steps.get-tf-dir.outputs.tf_dir }}-tf-plan
+        path: ${{ inputs.terraform_directory }}/tfplan
+
+    - name: Comment Plan
+      id: comment-plan
+      uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 #v3.1.0
+      with:
+        token: ${{ inputs.github_token }}
+        issue-number: ${{ inputs.pr_id }}
+        body: |
+          Terraform Plan for ${{ inputs.terraform_directory }}:
+
+          ```
+          ${{ steps.plan.outputs.plan }}
+          ```
+
+          Plan saved to GH artifacts.
diff --git a/.github/workflows/dev_backend_pr.yml b/.github/workflows/dev_backend_pr.yml
@@ -0,0 +1,88 @@
+name: Dev BE Pull Request
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - backend/models/**
+      - backend/ops_api/**
+      - backend/Dockerfile.ops-api
+
+env:
+  TERRAFORM_VERSION: "1.5.7"
+  TF_IN_AUTOMATION: "True"
+  ENVIRONMENT: "dev"
+  WORKING_DIR: "backend"
+  DOCKER_FILE: "Dockerfile.ops-api"
+
+jobs:
+  build:
+    permissions:
+      contents: read
+      packages: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+
+      - name: Build and publish the Docker image for ${{ github.repository }}
+        uses: macbre/push-to-ghcr@0f6c180522d02d9e608096c4dcf3b691193b4d44 #v13
+        with:
+          image_name: ${{ github.repository }}/ops-${{ env.WORKING_DIR }} # it will be lowercased internally
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          context: ${{ github.workspace }}/${{ env.WORKING_DIR }}
+          dockerfile: ${{ github.workspace }}/${{ env.WORKING_DIR }}/${{ env.DOCKER_FILE }}
+          image_tag: ${{ github.sha }}
+
+  plan-backend-deploy:
+    needs: build
+    permissions:
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+
+      - name: Terraform Plan
+        uses: ./.github/actions/tf-plan
+        with:
+          terraform_directory: "terraform/eus/${{ env.ENVIRONMENT }}/${{ env.WORKING_DIR }}"
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+          azure_client_id: ${{ secrets.ARM_CLIENT_ID }}
+          azure_client_secret: ${{ secrets.ARM_CLIENT_SECRET }}
+          azure_subscription_id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          azure_tenant_id: ${{ secrets.ARM_TENANT_ID }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_id: ${{ github.event.pull_request.number }}
+          tf_vars: |
+            {
+              "environment": "${{ env.ENVIRONMENT }}",
+              "container_tag": "${{ github.sha }}"
+            }
+
+  plan-backend-asa-deploy:
+    needs: build
+    permissions:
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+
+      - name: Terraform Plan
+        uses: ./.github/actions/tf-plan
+        with:
+          terraform_directory: "terraform/eus/${{ env.ENVIRONMENT }}/${{ env.WORKING_DIR }}_asa"
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+          azure_client_id: ${{ secrets.ARM_CLIENT_ID }}
+          azure_client_secret: ${{ secrets.ARM_CLIENT_SECRET }}
+          azure_subscription_id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          azure_tenant_id: ${{ secrets.ARM_TENANT_ID }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_id: ${{ github.event.pull_request.number }}
+          tf_vars: |
+            {
+              "environment": "${{ env.ENVIRONMENT }}",
+              "container_tag": "${{ github.sha }}"
+            }
diff --git a/.github/workflows/dev_backend_pr_merge.yml b/.github/workflows/dev_backend_pr_merge.yml
@@ -0,0 +1,62 @@
+name: Dev BE Pull Request Merged
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+    paths:
+      - backend/models/**
+      - backend/ops_api/**
+      - backend/Dockerfile.ops-api
+
+env:
+  TERRAFORM_VERSION: "1.5.7"
+  TF_IN_AUTOMATION: "True"
+  ENVIRONMENT: "dev"
+  WORKING_DIR: "backend"
+
+jobs:
+  apply-deploy:
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.merged }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+
+      - name: Terraform Apply
+        uses: ./.github/actions/tf-apply
+        with:
+          terraform_directory: "terraform/eus/${{ env.ENVIRONMENT }}/${{ env.WORKING_DIR }}"
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+          azure_client_id: ${{ secrets.ARM_CLIENT_ID }}
+          azure_client_secret: ${{ secrets.ARM_CLIENT_SECRET }}
+          azure_subscription_id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          azure_tenant_id: ${{ secrets.ARM_TENANT_ID }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_id: ${{ github.event.pull_request.number }}
+          plan_workflow_file: ${{ env.ENVIRONMENT }}_${{ env.WORKING_DIR }}_pr.yml
+
+  apply-asa-deploy:
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.merged }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+
+      - name: Terraform Apply
+        uses: ./.github/actions/tf-apply
+        with:
+          terraform_directory: "terraform/eus/${{ env.ENVIRONMENT }}/${{ env.WORKING_DIR }}_asa"
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+          azure_client_id: ${{ secrets.ARM_CLIENT_ID }}
+          azure_client_secret: ${{ secrets.ARM_CLIENT_SECRET }}
+          azure_subscription_id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          azure_tenant_id: ${{ secrets.ARM_TENANT_ID }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_id: ${{ github.event.pull_request.number }}
+          plan_workflow_file: ${{ env.ENVIRONMENT }}_${{ env.WORKING_DIR }}_pr.yml