From 6c715a90577c385c2b65b9983ab6fe639b09b20d Mon Sep 17 00:00:00 2001 From: andrea rota Date: Mon, 18 Mar 2024 10:20:15 +0000 Subject: [PATCH 1/3] use latest fountainhead/action-wait-for-check [MRXNM-40] Following deprecation of actions running on Node v16. --- .github/workflows/deploy-to-kubernetes.yml | 8 ++++---- .github/workflows/publish-marxan-docker-images.yml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deploy-to-kubernetes.yml b/.github/workflows/deploy-to-kubernetes.yml index e4beb64376..fdecbd8822 100644 --- a/.github/workflows/deploy-to-kubernetes.yml +++ b/.github/workflows/deploy-to-kubernetes.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Wait for API image to be pushed to Docker Hub - uses: fountainhead/action-wait-for-check@v1.1.0 + uses: fountainhead/action-wait-for-check@v1.2.0 with: token: ${{ secrets.GITHUB_TOKEN }} checkName: Push API Docker image to Azure Container Registry @@ -30,7 +30,7 @@ jobs: intervalSeconds: 30 - name: Wait for Geoprocessing image to be pushed to Docker Hub - uses: fountainhead/action-wait-for-check@v1.1.0 + uses: fountainhead/action-wait-for-check@v1.2.0 with: token: ${{ secrets.GITHUB_TOKEN }} checkName: Push Geoprocessing Docker image to Azure Container Registry @@ -38,7 +38,7 @@ jobs: intervalSeconds: 30 - name: Wait for Client image to be pushed to Docker Hub - uses: fountainhead/action-wait-for-check@v1.1.0 + uses: fountainhead/action-wait-for-check@v1.2.0 with: token: ${{ secrets.GITHUB_TOKEN }} checkName: Push Client Docker image to Azure Container Registry @@ -46,7 +46,7 @@ jobs: intervalSeconds: 30 - name: Wait for Webshot image to be pushed to Docker Hub - uses: fountainhead/action-wait-for-check@v1.1.0 + uses: fountainhead/action-wait-for-check@v1.2.0 with: token: ${{ secrets.GITHUB_TOKEN }} checkName: Push Webshot Docker image to Azure Container Registry diff --git a/.github/workflows/publish-marxan-docker-images.yml b/.github/workflows/publish-marxan-docker-images.yml index 2d7fdcc52e..339a2365a4 100644 --- a/.github/workflows/publish-marxan-docker-images.yml +++ b/.github/workflows/publish-marxan-docker-images.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Wait for API tests to run if: ${{ github.event.inputs.waitForTest == 'true' }} - uses: fountainhead/action-wait-for-check@v1.1.0 + uses: fountainhead/action-wait-for-check@v1.2.0 with: token: ${{ secrets.GITHUB_TOKEN }} checkName: API Tests @@ -42,7 +42,7 @@ jobs: - name: Wait for Client tests to run if: ${{ github.event.inputs.waitForTest == 'true' }} - uses: fountainhead/action-wait-for-check@v1.1.0 + uses: fountainhead/action-wait-for-check@v1.2.0 with: token: ${{ secrets.GITHUB_TOKEN }} checkName: Client Tests From 9aa6eae5921c749c6e66aec5de20ae5501c15013 Mon Sep 17 00:00:00 2001 From: andrea rota Date: Mon, 18 Mar 2024 16:07:09 +0000 Subject: [PATCH 2/3] use latest integrations/github provider This is so we can manage GitHub Actions variables (where appropriate to use them instead of GitHub Actions secrets). --- infrastructure/base/.terraform.lock.hcl | 118 ++++++++++++------------ infrastructure/base/versions.tf | 2 +- 2 files changed, 60 insertions(+), 60 deletions(-) diff --git a/infrastructure/base/.terraform.lock.hcl b/infrastructure/base/.terraform.lock.hcl index de5d9004df..e063c331f7 100644 --- a/infrastructure/base/.terraform.lock.hcl +++ b/infrastructure/base/.terraform.lock.hcl @@ -42,42 +42,42 @@ provider "registry.terraform.io/hashicorp/azurerm" { } provider "registry.terraform.io/hashicorp/github" { - version = "5.9.1" + version = "6.1.0" hashes = [ - "h1:S0eAD8z5oIM7pCZIuZCH3RvdjC5Z4cc6aG8XQz0QWPg=", - "zh:0a61a1e5bb556ff6f905b5df6d2f55b673cabd9a55b139d7e7957dfaef01a723", - "zh:0a9a0431ad48540dc8f2e802aafe35cdb435cd5a2b940a396f7a51555da75aa1", - "zh:1274b93e369d696cfc9c3ffee5093a4d8e45d027c11e59fb375a0d2ee78e0b49", - "zh:16157ec4b1f62c8b8dec647c0d6d8e0b02687f5b0674530233973b329716a2c7", - "zh:2f94a7545109c435bc01298341bdec59feba47665b456e0bd488b85baed9300a", - "zh:503e04c657ea2f81ff655e6deba51260527c41728e27d2bfc3e8127c92655251", - "zh:785f0949b0a5f44d53e3e152479a374336f9ab213cb32d6ad06ac221eaa78e23", - "zh:8ec0da6eb61cb4f9862899dd48d85281fe55039649cc4a1b21a7e9f3e04d39a6", - "zh:9a984d7420b3560b8c785bba2e5fdae57aa24267aff9c99e5426546eb2b2e4e3", - "zh:b66a335a1dec93a4bff0c1abf0ce859e1e1d7a8724fab59e0a21d8dbf890dad7", - "zh:cef84a7cd751dccc221e81ddea5a775b4183251309248da81edcf80601126126", - "zh:ddda79701c2e658e1b58005a1b9d3b9fd47cfe08cf6891560e94718ae7856aca", - "zh:f0ec0ce220fc1fe9e302df44efb591a51bd399827c423662fea63f18b9f02095", - "zh:f5c4a26c129acc7dc42cfb0d3fc0bb071c180163703ed5b2a14c29a3c56270a4", + "h1:LZeec2qr5cNz6MIVrQArl11E1hRnEdzkS7JUrc/8cus=", + "zh:03c2a7d7fa334b5abb1ea4962bb2ffabfff96ec883b1a62445fe724d4a541313", + "zh:144f77865c87843635a3f6a0d52530ab3a6270b04dfa2da744a9fc0003b64900", + "zh:4cfa42e679be22e516b8e0294688d6cfc896c0e1456387fd9d10d09d84e99c6d", + "zh:5ff9e90b7bc9008f5b7fb0d9ef0c7c67eb8fb29439309620de1b0b1810b3e7f9", + "zh:7bfe85fcbef2b4b6ff5eff8bc82a590f2471e71297207616014c852e7385921b", + "zh:a105ec4828973821a9618c0e058f5a597de014edf7aa64d97b7f4fc528abbc36", + "zh:a495c5b3bc6ce3d6261e9d1ba7f285e7e463b5f6ad15e533d5b7037ab985530f", + "zh:a4d7e43b7b59f41022e9137115440df46aa9de62a187ae4a35fb9fc388fca4c3", + "zh:a75ab20f5032e2ebcfe288e06d0f4f8eafd8fed569be7ac7c384e55c294ada43", + "zh:cb6e9cde411355ad477a60fecb8ed9b665d8475761949e03aceed57851842385", + "zh:d833d63b5374841e667647fde74d2388d1249a097a633b4bba20ad175b7db681", + "zh:e4e5aab1a6e37fb8220621673384b62a3f2693ca1052487eb4ca38426a40bc8b", + "zh:f06a84ddf6723e880997c0f773b500b3fabcecb1230d9ed2d93943700802c876", + "zh:f9695f2ceddfc243834a10bd91cfb8aa1b0e7cdb9eee14d17d49b4f439440b86", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.4.3" + version = "3.6.0" hashes = [ - "h1:xZGZf18JjMS06pFa4NErzANI98qi59SEcBsOcS2P2yQ=", - "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", - "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", - "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", + "h1:R5Ucn26riKIEijcsiOMBR3uOAjuOMfI1x7XvH4P6B1w=", + "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d", + "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211", + "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829", + "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d", + "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3", - "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5", - "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda", - "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6", - "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1", - "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d", - "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8", - "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93", + "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17", + "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21", + "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839", + "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0", + "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c", + "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e", ] } @@ -100,42 +100,42 @@ provider "registry.terraform.io/hashicorp/template" { } provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.4" + version = "4.0.5" hashes = [ - "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=", - "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", - "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", - "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", - "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5", - "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe", - "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e", - "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48", - "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8", - "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60", - "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e", - "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", + "h1:e4LBdJoZJNOQXPWgOAG0UuPBVhCStu98PieNlqJTmeU=", + "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", + "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32", + "zh:1a8ddba2b1550c5d02003ea5d6cdda2eef6870ece86c5619f33edd699c9dc14b", + "zh:1e3bb505c000adb12cdf60af5b08f0ed68bc3955b0d4d4a126db5ca4d429eb4a", + "zh:6636401b2463c25e03e68a6b786acf91a311c78444b1dc4f97c539f9f78de22a", + "zh:76858f9d8b460e7b2a338c477671d07286b0d287fd2d2e3214030ae8f61dd56e", + "zh:a13b69fb43cb8746793b3069c4d897bb18f454290b496f19d03c3387d1c9a2dc", + "zh:a90ca81bb9bb509063b736842250ecff0f886a91baae8de65c8430168001dad9", + "zh:c4de401395936e41234f1956ebadbd2ed9f414e6908f27d578614aaa529870d4", + "zh:c657e121af8fde19964482997f0de2d5173217274f6997e16389e7707ed8ece8", + "zh:d68b07a67fbd604c38ec9733069fbf23441436fecf554de6c75c032f82e1ef19", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } provider "registry.terraform.io/integrations/github" { - version = "5.9.1" - constraints = "5.9.1" + version = "6.1.0" + constraints = "6.1.0" hashes = [ - "h1:S0eAD8z5oIM7pCZIuZCH3RvdjC5Z4cc6aG8XQz0QWPg=", - "zh:0a61a1e5bb556ff6f905b5df6d2f55b673cabd9a55b139d7e7957dfaef01a723", - "zh:0a9a0431ad48540dc8f2e802aafe35cdb435cd5a2b940a396f7a51555da75aa1", - "zh:1274b93e369d696cfc9c3ffee5093a4d8e45d027c11e59fb375a0d2ee78e0b49", - "zh:16157ec4b1f62c8b8dec647c0d6d8e0b02687f5b0674530233973b329716a2c7", - "zh:2f94a7545109c435bc01298341bdec59feba47665b456e0bd488b85baed9300a", - "zh:503e04c657ea2f81ff655e6deba51260527c41728e27d2bfc3e8127c92655251", - "zh:785f0949b0a5f44d53e3e152479a374336f9ab213cb32d6ad06ac221eaa78e23", - "zh:8ec0da6eb61cb4f9862899dd48d85281fe55039649cc4a1b21a7e9f3e04d39a6", - "zh:9a984d7420b3560b8c785bba2e5fdae57aa24267aff9c99e5426546eb2b2e4e3", - "zh:b66a335a1dec93a4bff0c1abf0ce859e1e1d7a8724fab59e0a21d8dbf890dad7", - "zh:cef84a7cd751dccc221e81ddea5a775b4183251309248da81edcf80601126126", - "zh:ddda79701c2e658e1b58005a1b9d3b9fd47cfe08cf6891560e94718ae7856aca", - "zh:f0ec0ce220fc1fe9e302df44efb591a51bd399827c423662fea63f18b9f02095", - "zh:f5c4a26c129acc7dc42cfb0d3fc0bb071c180163703ed5b2a14c29a3c56270a4", + "h1:LZeec2qr5cNz6MIVrQArl11E1hRnEdzkS7JUrc/8cus=", + "zh:03c2a7d7fa334b5abb1ea4962bb2ffabfff96ec883b1a62445fe724d4a541313", + "zh:144f77865c87843635a3f6a0d52530ab3a6270b04dfa2da744a9fc0003b64900", + "zh:4cfa42e679be22e516b8e0294688d6cfc896c0e1456387fd9d10d09d84e99c6d", + "zh:5ff9e90b7bc9008f5b7fb0d9ef0c7c67eb8fb29439309620de1b0b1810b3e7f9", + "zh:7bfe85fcbef2b4b6ff5eff8bc82a590f2471e71297207616014c852e7385921b", + "zh:a105ec4828973821a9618c0e058f5a597de014edf7aa64d97b7f4fc528abbc36", + "zh:a495c5b3bc6ce3d6261e9d1ba7f285e7e463b5f6ad15e533d5b7037ab985530f", + "zh:a4d7e43b7b59f41022e9137115440df46aa9de62a187ae4a35fb9fc388fca4c3", + "zh:a75ab20f5032e2ebcfe288e06d0f4f8eafd8fed569be7ac7c384e55c294ada43", + "zh:cb6e9cde411355ad477a60fecb8ed9b665d8475761949e03aceed57851842385", + "zh:d833d63b5374841e667647fde74d2388d1249a097a633b4bba20ad175b7db681", + "zh:e4e5aab1a6e37fb8220621673384b62a3f2693ca1052487eb4ca38426a40bc8b", + "zh:f06a84ddf6723e880997c0f773b500b3fabcecb1230d9ed2d93943700802c876", + "zh:f9695f2ceddfc243834a10bd91cfb8aa1b0e7cdb9eee14d17d49b4f439440b86", ] } diff --git a/infrastructure/base/versions.tf b/infrastructure/base/versions.tf index 55e6e4255f..cdd9e43654 100644 --- a/infrastructure/base/versions.tf +++ b/infrastructure/base/versions.tf @@ -15,7 +15,7 @@ terraform { github = { source = "integrations/github" - version = "5.9.1" + version = "6.1.0" } } required_version = "1.4.5" From f8a5c20aaffbe985fceed09ee92b133eac8f4a42 Mon Sep 17 00:00:00 2001 From: andrea rota Date: Tue, 19 Mar 2024 18:51:26 +0000 Subject: [PATCH 3/3] use vars rather than secrets where appropriate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Plaintext variables were only introduced after the initial development of Marxan’s CI workflows: https://github.blog/changelog/2023-01-10-github-actions-support-for-configuration-variables-in-workflows/ Keeping only true secret values as GitHub Actions secrets allows better inspectability of what is configured in terms of CI keys/values. --- .github/workflows/deploy-to-kubernetes.yml | 6 +- .github/workflows/e2e-client.yml | 2 +- .../publish-marxan-docker-images.yml | 42 ++++----- .../publish-webshot-docker-images.yml | 10 +-- infrastructure/README.md | 34 +++++-- .../base/modules/github_secrets/main.tf | 90 +++++++++---------- 6 files changed, 100 insertions(+), 84 deletions(-) diff --git a/.github/workflows/deploy-to-kubernetes.yml b/.github/workflows/deploy-to-kubernetes.yml index fdecbd8822..5664351664 100644 --- a/.github/workflows/deploy-to-kubernetes.yml +++ b/.github/workflows/deploy-to-kubernetes.yml @@ -78,7 +78,7 @@ jobs: - name: Add custom host data run: | - sudo sh -c 'echo "127.0.0.1 ${{ secrets.AZURE_AKS_HOST }}" >> /etc/hosts' + sudo sh -c 'echo "127.0.0.1 ${{ env.AZURE_AKS_HOST }}" >> /etc/hosts' - name: Install kubectl uses: azure/setup-kubectl@v3 @@ -88,12 +88,12 @@ jobs: - name: Config kubectl run: | mkdir ~/.kube - az aks get-credentials --resource-group ${{ secrets.AZURE_RESOURCE_GROUP }} --name ${{ secrets.AZURE_AKS_CLUSTER_NAME }} + az aks get-credentials --resource-group ${{ env.AZURE_RESOURCE_GROUP }} --name ${{ env.AZURE_AKS_CLUSTER_NAME }} sed -i 's/\([[:alnum:]]\+\?.privatelink.[[:alnum:]]\+\?.azmk8s.io\):443/\1:4433/g' ~/.kube/config - name: Creating SSH tunnel run: | - ssh -i ~/.ssh/bastion.key -o StrictHostKeyChecking=no -N -L 4433:${{ secrets.AZURE_AKS_HOST }}:443 ${{ secrets.BASTION_USER }}@${{ secrets.BASTION_HOST }} -T & + ssh -i ~/.ssh/bastion.key -o StrictHostKeyChecking=no -N -L 4433:${{ env.AZURE_AKS_HOST }}:443 ${{ env.BASTION_USER }}@${{ env.BASTION_HOST }} -T & - name: Redeploy production pods if: ${{ github.ref == 'refs/heads/main' }} diff --git a/.github/workflows/e2e-client.yml b/.github/workflows/e2e-client.yml index f0b0bde8b9..618642942d 100644 --- a/.github/workflows/e2e-client.yml +++ b/.github/workflows/e2e-client.yml @@ -41,7 +41,7 @@ jobs: path: playwright-report/ retention-days: 30 env: - NEXT_PUBLIC_MAPBOX_API_TOKEN: ${{ secrets.NEXT_PUBLIC_MAPBOX_API_TOKEN }} + NEXT_PUBLIC_MAPBOX_API_TOKEN: ${{ env.NEXT_PUBLIC_MAPBOX_API_TOKEN }} # Recommended: pass the GitHub token lets this action correctly # determine the unique run id necessary to re-run the checks GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/publish-marxan-docker-images.yml b/.github/workflows/publish-marxan-docker-images.yml index 339a2365a4..e89e2eedbb 100644 --- a/.github/workflows/publish-marxan-docker-images.yml +++ b/.github/workflows/publish-marxan-docker-images.yml @@ -67,15 +67,15 @@ jobs: - name: Build and push image uses: azure/docker-login@v1 with: - login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }} - username: ${{ secrets.REGISTRY_USERNAME }} + login-server: ${{ env.REGISTRY_LOGIN_SERVER }} + username: ${{ env.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - run: | docker build ./api -f api/api.Dockerfile \ - -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-api:${{ github.sha }} \ - -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-api:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }} - docker push -a ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-api + -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-api:${{ github.sha }} \ + -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-api:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }} + docker push -a ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-api push_geoprocessing_to_registry: name: Push Geoprocessing Docker image to Azure Container Registry @@ -95,15 +95,15 @@ jobs: - name: Build and push image uses: azure/docker-login@v1 with: - login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }} - username: ${{ secrets.REGISTRY_USERNAME }} + login-server: ${{ env.REGISTRY_LOGIN_SERVER }} + username: ${{ env.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - run: | docker build ./api -f api/geo.Dockerfile \ - -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing:${{ github.sha }} \ - -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }} - docker push -a ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing + -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing:${{ github.sha }} \ + -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }} + docker push -a ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-geoprocessing push_client_to_registry: name: Push Client Docker image to Azure Container Registry @@ -124,19 +124,19 @@ jobs: - name: Build and push image uses: azure/docker-login@v1 with: - login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }} - username: ${{ secrets.REGISTRY_USERNAME }} + login-server: ${{ env.REGISTRY_LOGIN_SERVER }} + username: ${{ env.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - run: | docker build ./app \ - -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-client:${{ github.sha }} \ - -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-client:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }} \ - --build-arg NEXT_PUBLIC_URL=${{ github.ref != 'refs/heads/main' && secrets.NEXT_PUBLIC_URL_STAGING || secrets.NEXT_PUBLIC_URL_PRODUCTION }} \ - --build-arg NEXT_PUBLIC_API_URL=${{ github.ref != 'refs/heads/main' && secrets.NEXT_PUBLIC_API_URL_STAGING || secrets.NEXT_PUBLIC_API_URL_PRODUCTION }} \ - --build-arg NEXTAUTH_URL=${{ github.ref != 'refs/heads/main' && secrets.NEXTAUTH_URL_STAGING || secrets.NEXTAUTH_URL_PRODUCTION }} \ - --build-arg NEXT_PUBLIC_FEATURE_FLAGS=${{ github.ref != 'refs/heads/main' && secrets.NEXT_PUBLIC_FEATURE_FLAGS_STAGING || secrets.NEXT_PUBLIC_FEATURE_FLAGS_PRODUCTION }} \ - --build-arg NEXT_PUBLIC_MAPBOX_API_TOKEN=${{ secrets.NEXT_PUBLIC_MAPBOX_API_TOKEN }} \ + -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-client:${{ github.sha }} \ + -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-client:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }} \ + --build-arg NEXT_PUBLIC_URL=${{ github.ref != 'refs/heads/main' && env.NEXT_PUBLIC_URL_STAGING || env.NEXT_PUBLIC_URL_PRODUCTION }} \ + --build-arg NEXT_PUBLIC_API_URL=${{ github.ref != 'refs/heads/main' && env.NEXT_PUBLIC_API_URL_STAGING || env.NEXT_PUBLIC_API_URL_PRODUCTION }} \ + --build-arg NEXTAUTH_URL=${{ github.ref != 'refs/heads/main' && env.NEXTAUTH_URL_STAGING || env.NEXTAUTH_URL_PRODUCTION }} \ + --build-arg NEXT_PUBLIC_FEATURE_FLAGS=${{ github.ref != 'refs/heads/main' && env.NEXT_PUBLIC_FEATURE_FLAGS_STAGING || env.NEXT_PUBLIC_FEATURE_FLAGS_PRODUCTION }} \ + --build-arg NEXT_PUBLIC_MAPBOX_API_TOKEN=${{ env.NEXT_PUBLIC_MAPBOX_API_TOKEN }} \ --build-arg ENABLE_MAINTENANCE_MODE=${{ github.event.inputs.enable_maintenance_mode }} \ - --build-arg NEXT_PUBLIC_CONTACT_EMAIL=${{ secrets.NEXT_PUBLIC_CONTACT_EMAIL }} - docker push -a ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-client + --build-arg NEXT_PUBLIC_CONTACT_EMAIL=${{ env.NEXT_PUBLIC_CONTACT_EMAIL }} + docker push -a ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-client diff --git a/.github/workflows/publish-webshot-docker-images.yml b/.github/workflows/publish-webshot-docker-images.yml index e1be3a1a3b..c078523908 100644 --- a/.github/workflows/publish-webshot-docker-images.yml +++ b/.github/workflows/publish-webshot-docker-images.yml @@ -34,12 +34,12 @@ jobs: - name: Build and push image uses: azure/docker-login@v1 with: - login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }} - username: ${{ secrets.REGISTRY_USERNAME }} + login-server: ${{ env.REGISTRY_LOGIN_SERVER }} + username: ${{ env.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - run: | docker build ./webshot \ - -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-webshot:${{ github.sha }} \ - -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-webshot:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }} - docker push -a ${{ secrets.REGISTRY_LOGIN_SERVER }}/marxan-webshot + -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-webshot:${{ github.sha }} \ + -t ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-webshot:${{ github.ref != 'refs/heads/main' && 'staging' || 'production' }} + docker push -a ${{ env.REGISTRY_LOGIN_SERVER }}/marxan-webshot diff --git a/infrastructure/README.md b/infrastructure/README.md index 6fb2423f67..b277540917 100644 --- a/infrastructure/README.md +++ b/infrastructure/README.md @@ -97,23 +97,39 @@ the services on kubernetes, which is done by this plan. #### Github Actions -As part of this infrastructure, Github Actions are used to automatically build and push Docker images to Azure ACR, and -to redeploy Kubernetes pods once that happens. Said Github Actions depend on specific Github Secrets, that are listed below -for reference. Said secrets are automatically created by the `base` Terraform project, and do not need to be created manually. +As part of this infrastructure, Github Actions are used to automatically build +and push Docker images to Azure ACR, and to redeploy Kubernetes pods once that +happens. Said Github Actions depend on specific Github Secrets and Variables, +that are listed below for reference. + +Secrets and variables listed below are automatically created by the `base` +Terraform project, and do not need to be created manually. Their value often +depends on the outputs of other Terraform modules, so configuring all these via +Terraform (and avoiding to change them manually within the settings of the +relevant GitHub repository) guarantees that values available to GitHub actions +are always coherent with the state of the terraformed infrastructure. + +For example, AKS-related variables depend on settings for the cluster name as +well as the hostname of the AKS API server, which is assigned by Azure upon +creation of an AKS cluster. + +##### Secrets -- `AZURE_AKS_CLUSTER_NAME`: The name of the AKS cluster. Get from `Base`'s `k8s_cluster_name` -- `AZURE_AKS_HOST`: The AKS cluster hostname (without port or protocol). Get from `Base`'s `k8s_cluster_private_fqdn` - `AZURE_CLIENT_ID`: The hostname for the Azure ACT. Get from `Base`'s `container_registry_client_id` -- `AZURE_RESOURCE_GROUP`: The AKS Resource Group name. Specified by you when setting up the infrastructure. - `AZURE_SUBSCRIPTION_ID`: The Azure Subscription Id. Get from `Base`'s `azure_subscription_id` - `AZURE_TENANT_ID`: The Azure Tenant Id. Get from `Base`'s `azure_tenant_id` +- `BASTION_SSH_PRIVATE_KEY`: The ssh private key to access the bastion host. Get it by connection to the bastion host using SSH, and generating a new public/private SSH key pair. +- `REGISTRY_PASSWORD`: The password to access the Azure. Get from `Base`'s `container_registry_password` + +##### Variables + +- `AZURE_AKS_CLUSTER_NAME`: The name of the AKS cluster. Get from `Base`'s `k8s_cluster_name` +- `AZURE_AKS_HOST`: The AKS cluster hostname (without port or protocol). Get from `Base`'s `k8s_cluster_private_fqdn` +- `AZURE_RESOURCE_GROUP`: The AKS Resource Group name. Specified by you when setting up the infrastructure. - `BASTION_HOST`: The hostname for the bastion machine. Get from `Base`'s `bastion_hostname` - `BASTION_USER`: By default this will be `ubuntu` if using the initial user created on bastion host instantiation. It is configurable in case infrastructure admins wish to configure a different user on the bastion host or the default distro user is renamed. -- `BASTION_SSH_PRIVATE_KEY`: The ssh private key to access the bastion host. Get it by connection to the bastion host using SSH, and generating a new public/private SSH key pair. - `REGISTRY_LOGIN_SERVER`: The hostname for the Azure ACR. Get from `Base`'s `container_registry_hostname` - `REGISTRY_USERNAME`: The username for the Azure ACR. Get from `Base`'s `container_registry_client_id` -- `REGISTRY_PASSWORD`: The password to access the Azure. Get from `Base`'s `container_registry_password` -- `BASTION_SSH_PRIVATE_KEY`: The ssh private key to access the bastion host. Get it by connection to the bastion host using SSH, and generating a new public/private SSH key pair. Additional Github Actions Secrets are needed, as required by the [frontend application](../app/README.md#env-variables) and used by the corresponding [Github workflow](../.github/workflows/publish-marxan-docker-images.yml) that builds diff --git a/infrastructure/base/modules/github_secrets/main.tf b/infrastructure/base/modules/github_secrets/main.tf index a5587e93ea..534da7b29e 100644 --- a/infrastructure/base/modules/github_secrets/main.tf +++ b/infrastructure/base/modules/github_secrets/main.tf @@ -1,13 +1,13 @@ -resource "github_actions_secret" "azure_aks_cluster_name" { +resource "github_actions_variable" "azure_aks_cluster_name" { repository = var.repo_name - secret_name = "AZURE_AKS_CLUSTER_NAME" - plaintext_value = var.aks_cluster_name + variable_name = "AZURE_AKS_CLUSTER_NAME" + value = var.aks_cluster_name } -resource "github_actions_secret" "azure_aks_host" { +resource "github_actions_variable" "azure_aks_host" { repository = var.repo_name - secret_name = "AZURE_AKS_HOST" - plaintext_value = var.aks_host + variable_name = "AZURE_AKS_HOST" + value = var.aks_host } resource "github_actions_secret" "azure_client_id" { @@ -16,10 +16,10 @@ resource "github_actions_secret" "azure_client_id" { plaintext_value = var.client_id } -resource "github_actions_secret" "azure_resource_group" { +resource "github_actions_variable" "azure_resource_group" { repository = var.repo_name - secret_name = "AZURE_RESOURCE_GROUP" - plaintext_value = var.resource_group_name + variable_name = "AZURE_RESOURCE_GROUP" + value = var.resource_group_name } resource "github_actions_secret" "azure_subscription_id" { @@ -34,10 +34,10 @@ resource "github_actions_secret" "azure_tenant_id" { plaintext_value = var.tenant_id } -resource "github_actions_secret" "bastion_host" { +resource "github_actions_variable" "bastion_host" { repository = var.repo_name - secret_name = "BASTION_HOST" - plaintext_value = var.bastion_host + variable_name = "BASTION_HOST" + value = var.bastion_host } resource "github_actions_secret" "bastion_ssh_private_key" { @@ -46,16 +46,16 @@ resource "github_actions_secret" "bastion_ssh_private_key" { plaintext_value = var.bastion_ssh_private_key } -resource "github_actions_secret" "bastion_user" { +resource "github_actions_variable" "bastion_user" { repository = var.repo_name - secret_name = "BASTION_USER" - plaintext_value = var.bastion_user + variable_name = "BASTION_USER" + value = var.bastion_user } -resource "github_actions_secret" "registry_login_server" { +resource "github_actions_variable" "registry_login_server" { repository = var.repo_name - secret_name = "REGISTRY_LOGIN_SERVER" - plaintext_value = var.registry_login_server + variable_name = "REGISTRY_LOGIN_SERVER" + value = var.registry_login_server } resource "github_actions_secret" "registry_password" { @@ -64,56 +64,56 @@ resource "github_actions_secret" "registry_password" { plaintext_value = var.registry_password } -resource "github_actions_secret" "registry_username" { +resource "github_actions_variable" "registry_username" { repository = var.repo_name - secret_name = "REGISTRY_USERNAME" - plaintext_value = var.registry_username + variable_name = "REGISTRY_USERNAME" + value = var.registry_username } -resource "github_actions_secret" "mapbox_api_token" { +resource "github_actions_variable" "mapbox_api_token" { repository = var.repo_name - secret_name = "NEXT_PUBLIC_MAPBOX_API_TOKEN" - plaintext_value = var.mapbox_api_token + variable_name = "NEXT_PUBLIC_MAPBOX_API_TOKEN" + value = var.mapbox_api_token } -resource "github_actions_secret" "contact_email" { +resource "github_actions_variable" "contact_email" { repository = var.repo_name - secret_name = "NEXT_PUBLIC_CONTACT_EMAIL" - plaintext_value = var.support_email + variable_name = "NEXT_PUBLIC_CONTACT_EMAIL" + value = var.support_email } -resource "github_actions_secret" "next_public_api_url_production" { +resource "github_actions_variable" "next_public_api_url_production" { repository = var.repo_name - secret_name = "NEXT_PUBLIC_API_URL_PRODUCTION" - plaintext_value = "https://api.${var.domain}" + variable_name = "NEXT_PUBLIC_API_URL_PRODUCTION" + value = "https://api.${var.domain}" } -resource "github_actions_secret" "next_public_url_production" { +resource "github_actions_variable" "next_public_url_production" { repository = var.repo_name - secret_name = "NEXT_PUBLIC_URL_PRODUCTION" - plaintext_value = "https://${var.domain}" + variable_name = "NEXT_PUBLIC_URL_PRODUCTION" + value = "https://${var.domain}" } -resource "github_actions_secret" "nextauth_url_production" { +resource "github_actions_variable" "nextauth_url_production" { repository = var.repo_name - secret_name = "NEXTAUTH_URL_PRODUCTION" - plaintext_value = "https://client.${var.domain}" + variable_name = "NEXTAUTH_URL_PRODUCTION" + value = "https://client.${var.domain}" } -resource "github_actions_secret" "next_public_api_url_staging" { +resource "github_actions_variable" "next_public_api_url_staging" { repository = var.repo_name - secret_name = "NEXT_PUBLIC_API_URL_STAGING" - plaintext_value = "https://api.staging.${var.domain}" + variable_name = "NEXT_PUBLIC_API_URL_STAGING" + value = "https://api.staging.${var.domain}" } -resource "github_actions_secret" "next_public_url_staging" { +resource "github_actions_variable" "next_public_url_staging" { repository = var.repo_name - secret_name = "NEXT_PUBLIC_URL_STAGING" - plaintext_value = "https://staging.${var.domain}" + variable_name = "NEXT_PUBLIC_URL_STAGING" + value = "https://staging.${var.domain}" } -resource "github_actions_secret" "nextauth_url_staging" { +resource "github_actions_variable" "nextauth_url_staging" { repository = var.repo_name - secret_name = "NEXTAUTH_URL_STAGING" - plaintext_value = "https://client.staging.${var.domain}" + variable_name = "NEXTAUTH_URL_STAGING" + value = "https://client.staging.${var.domain}" }