Re-org with a rw and ro environment (#16)

* Re-org with a rw and ro environment

* Add ENVIRONMENT variable

* Grant s3:HeadObject

* Fix S3 permissions

* Fix S3 permissions for real

* Some linter ignores

* Some linter ignores

.github/workflows/environment-main-deploy.yaml

@@ -14,7 +14,7 @@ jobs:
   envtest:
     name: Environment Main - Apply
     runs-on: ubuntu-latest
-    environment: main
+    environment: primary-rw
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
@@ -23,13 +23,13 @@ jobs:
     - name: Configure AWS Access
       uses: aws-actions/configure-aws-credentials@39228ca2bffc0bfc8f7761ce893f5b80e7eaaf8f
       with:
-        role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT }}:role/GitHubAction-Wildsea-${{ vars.ENVIRONMENT }}
-        role-session-name: GitHubDeploy
+        role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT }}:role/${{ vars.AWS_ROLE }}
+        role-session-name: GitHubDeploy-${{ vars.ENVIRONMENT }}
         aws-region: ${{ vars.AWS_REGION }}
     - name: terraform apply
       uses: dflook/terraform-apply@7d435d4d115a11e5db1e710ac969f5382f0f6f9f
       with:
-        path: terraform/environment/github
+        path: terraform/environment/wildsea
         variables: |
           aws_account="${{ vars.AWS_ACCOUNT }}"
           aws_region="${{ vars.AWS_REGION }}"

.github/workflows/environment-main-plan.yaml

@@ -12,7 +12,7 @@ jobs:
   envtest:
     name: Environment Main - Plan
     runs-on: ubuntu-latest
-    environment: main
+    environment: primary-ro
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
@@ -21,13 +21,13 @@ jobs:
     - name: Configure AWS Access
       uses: aws-actions/configure-aws-credentials@39228ca2bffc0bfc8f7761ce893f5b80e7eaaf8f
       with:
-        role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT }}:role/GitHubAction-Wildsea
-        role-session-name: GitHubTest
+        role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT }}:role/${{ vars.AWS_ROLE }}
+        role-session-name: GitHubTest-${{ vars.ENVIRONMENT }}
         aws-region: ${{ vars.AWS_REGION }}
     - name: terraform plan
       uses: dflook/terraform-plan@b0877a1bf56160160ab482f4aff8a12fff35fe06
       with:
-        path: terraform/environment/github
+        path: terraform/environment/wildsea
         variables: |
           aws_account="${{ vars.AWS_ACCOUNT }}"
           aws_region="${{ vars.AWS_REGION }}"

.github/workflows/terraform.yaml

@@ -3,7 +3,7 @@ name: Terraform Validation
 on:
   pull_request:
     paths:
-    - terraform/environment/github/**
+    - terraform/environment/wildsea/**
   push:
     branches:
     - main
@@ -18,5 +18,5 @@ jobs:
     - name: Validate Terraform
       uses: dflook/terraform-validate@93108d6d37b2fd79d527ec77c190105de1429bb5
       with:
-        path: terraform/environment/github
+        path: terraform/environment/wildsea
 

README.md

@@ -2,38 +2,43 @@
 
 Wildsea companion app
 
-## Repository Setup
+## Setup
 
-To set up a github repository:
+* Clone `[email protected]:jarrod-lowe/wildsea.git` and then `cd wildsea`
+* Configure git:
 
+  ```bash
+  git config gpg.format ssh
+  git config user.signingkey ~/.ssh/id_rsa
+  git config commit.gpgsign true
+  ```
+
+* Create an AWS Account for deployment
+  * Define a profile in your `~/.aws/config` to access it as admin for the initial setup deploys
+* Create an S3 bucket `terraform-state-<accountid>`
+* Create `terraform/environment/aws/terraform.tfvars`
+  * Add `workspace = "<your github org>"` to the vars file
+* Run `.AWS_PROFILE=<profile> ./terraform/environment/github/aws.sh <aws account id>`
 * Log into Codacy, and connect the repo
   * Configure the rule to maximum
-* Create a branch restriction rule called "main":
-  * Enforcement: Active
-  * Target Branches: Include default branch
-  * Tick Restrict creations
-  * Tick Restrict deletions
-  * Tick Require linear history
-  * Tick Require a pull request before merging
-    * Require 0 Approvals
-    * Require review from code owners
-  * Tick Require status checks to pass
-    * Tick require branches to be up to date before merging
-    * Add "Codacy Static Code Analysis" to status checks that are required
-  * Block force pushes
-  * TODO: Require code scanning results
+* In Codacy, in the repo, go to code patterns, and edit the coding standard:
+  * Set the languages to: CSS, Go, JSON, Javascript, Markdown, Python, Shell, Terraform, Typescript, XML, YAML
+  * Select every tool that is:
+    * NOT client-side
+    * NOT deprecated
+    * NOT remark-lint
+    * Matches one of the above languages
+* Log into Github and create a personal access token with the "repo" scope, and 7 days expiry
+* Create `terraform/environment/github/terraform.tfvars`
+  * Add `token = "<the token>"` to the vars file
+  * Add `workspace = "<your github org>"` to the vars file
+* Run `.AWS_PROFILE=<profile> ./terraform/environment/github/deploy.sh <aws account id>`
+
 * Install <https://github.com/apps/renovate> into the repo
-* Under settings, "Set up code scanning"
-  * Enable everything exeept Dependabot version updates
+
+To automate:
+
+* In Github, Under settings, "Set up code scanning"
+  * Enable everything except Dependabot version updates
   * Set up CodeQL to default
   * Set the Protection rules to Any/Any
-* Create an AWS Account for deployment
-  * Set up OIDC as per <https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/>
-  * Restrict it to the repo and branch main
-  * Add AdministratorAccess, for now, and call it GitHubAccess-Wildsea-main
-  * Add another role with ReadyOnlyAccess, don't restrict the branch, and call it GitHubAccess-Wildsea
-* Add an environment "main"
-  * Add an Environment Variable in the environment "AWS_ACCOUNT" with the ID of the AWS Account
-  * Add an Environment Variable in the environment "AWS_REGION" with the AWS Region you want to use
-  * Add an Environment Variable in the environment "STATE_BUCKET" with the name of the state bucket you created
-  * Add an Environment Variable in the environment "ENVIRONMENT" with the name of the environment

terraform/environment/aws/deploy.sh

@@ -0,0 +1,39 @@
+#!/bin/bash -eu
+if [ -z "${1:-}" ] ; then
+    echo >&2 "Usage: $0 <aws-account-id> [environment] [region]"
+    echo >&2 "Eg: $0 0123456789012"
+    exit 2
+fi
+
+DIR="$( dirname "$0" )"
+cd "${DIR}"
+
+ACCOUNT_ID="$1"
+ENVIRONMENT="${2:-primary}"
+AWS_REGION="${3:-ap-southeast-2}"
+STATE_BUCKET="terraform-state-${ACCOUNT_ID}"
+
+if ! aws help >/dev/null ; then
+    echo >&2 "Error: aws cli not installed"
+    exit 3
+fi
+
+if ! aws sts get-caller-identity >/dev/null ; then
+    echo >&2 "Error: not logged into AWS"
+    exit 4
+fi
+
+if ! aws s3 ls "s3://${STATE_BUCKET}/" >/dev/null ; then
+    echo >&2 "Error: AWS Role does not have access to the state bucket"
+    aws sts get-caller-identity
+    exit 5
+fi
+
+terraform init \
+    -backend-config="bucket=${STATE_BUCKET}" \
+    -backend-config="key=${ENVIRONMENT}/aws.tfstate" \
+    -backend-config="region=${AWS_REGION}"
+
+terraform apply \
+    -var environment="${ENVIRONMENT}" \
+    -var state_bucket="${STATE_BUCKET}"

terraform/environment/aws/main.tf

@@ -0,0 +1,46 @@
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+
+variable "app_name" {
+    default = "Wildsea"
+}
+
+variable "action_prefix" {
+    default = "GitHubAction"
+}
+
+variable "workspace" {
+  description = "Github Organisation name"
+  type        = string
+}
+
+variable "repo" {
+  description = "Repository name"
+  type        = string
+  default     = "wildsea"
+}
+
+variable "state_bucket" {
+  description = "State Bucket to use for deploys"
+  type        = string
+}
+
+variable "environment" {
+  description = "Unique name for the deployment"
+  type        = string
+  default     = "primary"
+}
+
+terraform {
+    backend "s3" {
+        // region, bucket and key come from -backend-config
+    }
+}
+
+provider "aws" {
+    default_tags {
+      tags = {
+        Application = "Wildsea-setup-${var.environment}"
+      }
+    }
+}