Skip to content

Commit

Permalink
Dev deployments (#23)
Browse files Browse the repository at this point in the history
* Dev deployments

* Codacy fixes
  • Loading branch information
jarrod-lowe authored Aug 11, 2024
1 parent 1d2d4ca commit 7d25c9c
Show file tree
Hide file tree
Showing 23 changed files with 513 additions and 108 deletions.
4 changes: 1 addition & 3 deletions .github/workflows/environment-main-deploy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,8 @@ jobs:
with:
path: terraform/environment/wildsea
variables: |
aws_account="${{ vars.AWS_ACCOUNT }}"
aws_region="${{ vars.AWS_REGION }}"
state_bucket="${{ vars.STATE_BUCKET }}"
environment="${{ vars.ENVIRONMENT }}"
saml_metadata_url="${{ secrets.SAML_METADATA_URL }}"
backend_config:
bucket=${{ vars.STATE_BUCKET }}
key=${{ vars.ENVIRONMENT }}/terraform.tfstate
Expand Down
3 changes: 0 additions & 3 deletions .github/workflows/environment-main-plan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,6 @@ jobs:
with:
path: terraform/environment/wildsea
variables: |
aws_account="${{ vars.AWS_ACCOUNT }}"
aws_region="${{ vars.AWS_REGION }}"
state_bucket="${{ vars.STATE_BUCKET }}"
environment="${{ vars.ENVIRONMENT }}"
saml_metadata_url="${{ secrets.SAML_METADATA_URL }}"
backend_config:
Expand Down
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,5 @@ override.tf.json
.terraformrc
terraform.rc
.validate
.apply
.plan
29 changes: 28 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,11 +1,38 @@
default: all

TERRAFORM_ENVIRONMENTS := aws github wildsea
TERRAFORM_ENVIRONMENTS := aws github wildsea aws-dev wildsea-dev
TERRAFOM_VALIDATE := $(addsuffix /.validate,$(addprefix terraform/environment/, $(TERRAFORM_ENVIRONMENTS)))
ACCOUNT_ID := $(shell aws sts get-caller-identity --query 'Account' --output text)
AWS_REGION ?= "ap-southeast-2"
RO_ROLE = arn:aws:iam::$(ACCOUNT_ID):role/GitHubAction-Wildsea-ro-dev
RW_ROLE = arn:aws:iam::$(ACCOUNT_ID):role/GitHubAction-Wildsea-rw-dev

all: $(TERRAFOM_VALIDATE)

terraform/environment/%/.validate: terraform/environment/%/*.tf
cd terraform/environment/$* ; terraform fmt
cd terraform/environment/$* ; terraform validate
touch $@

.PHONY: dev
dev: terraform/environment/aws-dev/.apply terraform/environment/wildsea-dev/.apply
@true

terraform/environment/aws-dev/.apply: terraform/environment/aws-dev/*.tf terraform/module/iac-roles/*.tf
./terraform/environment/aws-dev/deploy.sh $(ACCOUNT_ID) dev
touch $@

terraform/environment/wildsea-dev/.plan: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf terraform/environment/wildsea-dev/.terraform
cd terraform/environment/wildsea-dev ; ../../../scripts/run-as.sh $(RO_ROLE) \
terraform plan -out=./plan

terraform/environment/wildsea-dev/.apply: terraform/environment/wildsea-dev/.plan
cd terraform/environment/wildsea-dev ; ../../../scripts/run-as.sh $(RW_ROLE) \
terraform apply ./plan
touch $@

terraform/environment/wildsea-dev/.terraform: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf
cd terraform/environment/wildsea-dev ; terraform init \
-backend-config=bucket=terraform-state-$(ACCOUNT_ID) \
-backend-config=key=dev/terraform.tfstate \
-backend-config=region=$(AWS_REGION)
9 changes: 9 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,12 @@ to the URL you got earlier.

Since you require the details of the Cognito pool before creating the Jumpcloud
setup, you will need to re-run the deployment after adding the secrets.

## Development Environment

After having set up the AWS Account, use `AWS_PROFILE=<profile> make dev` to
deploy a development version. If this is a different AWS Account from the real
deployment, you will need to create an S3 bucket for the state, in the same way
as you did for the real deployment.

Development environments will not use Jumpcloud, but instead use Cognito.
13 changes: 13 additions & 0 deletions scripts/run-as.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/bash -eu

ROLE_ARN=$1
shift
COMMAND=$@

CREDS=$(aws sts assume-role --role-arn "$ROLE_ARN" --role-session-name "terraform-${RANDOM}" --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text)

export AWS_ACCESS_KEY_ID="$(echo "${CREDS}" | awk '{print $1}')"
export AWS_SECRET_ACCESS_KEY="$(echo "${CREDS}" | awk '{print $2}')"
export AWS_SESSION_TOKEN="$(echo "${CREDS}" | awk '{print $3}')"

exec $COMMAND
24 changes: 24 additions & 0 deletions terraform/environment/aws-dev/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions terraform/environment/aws-dev/deploy.sh
58 changes: 58 additions & 0 deletions terraform/environment/aws-dev/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

variable "app_name" {
default = "Wildsea"
}

variable "action_prefix" {
default = "GitHubAction"
}

variable "repo" {
description = "Repository name"
type = string
default = "wildsea"
}

variable "state_bucket" {
description = "State Bucket to use for deploys"
type = string
}

variable "environment" {
description = "Unique name for the deployment"
type = string
default = "primary"
}

terraform {
backend "s3" {
// region, bucket and key come from -backend-config
}
}

locals {
prefix = "${var.app_name}-${var.environment}"
}

provider "aws" {
default_tags {
tags = {
Application = "${var.app_name}-setup-${var.environment}"
}
}
}

module "iac-roles" {
source = "../../module/iac-roles"
app_name = var.app_name
environment = var.environment
action_prefix = var.action_prefix
workspace = "none"
repo = var.repo
state_bucket_arn = "arn:${data.aws_partition.current.id}:s3:::${var.state_bucket}"
oidc_type = "AWS"
oidc_arn = data.aws_caller_identity.current.account_id
}
26 changes: 26 additions & 0 deletions terraform/environment/aws/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,29 @@ provider "aws" {
}
}
}

import {
to = module.state-bucket.aws_s3_bucket.state
id = var.state_bucket
}

module "iac-roles" {
source = "../../module/iac-roles"
app_name = var.app_name
environment = var.environment
action_prefix = var.action_prefix
workspace = var.workspace
repo = var.repo
state_bucket_arn = module.state-bucket.arn
oidc_arn = module.oidc.oidc_arn
oidc_type = "Federated"
}

module "state-bucket" {
source = "../../module/state-bucket"
state_bucket = var.state_bucket
}

module "oidc" {
source = "../../module/oidc"
}
24 changes: 24 additions & 0 deletions terraform/environment/wildsea-dev/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

32 changes: 32 additions & 0 deletions terraform/environment/wildsea-dev/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
variable "saml_metadata_url" {
description = "SAML Metadata URL"
type = string
sensitive = true
default = ""
}

locals {
app_name = "Wildsea"
prefix = "${local.app_name}-dev"
}

terraform {
backend "s3" {
// region, bucket and key come from -backend-config
}
}

provider "aws" {
default_tags {
tags = {
Application = local.prefix
}
}
}

module "wildsea" {
source = "../../module/wildsea"

saml_metadata_url = var.saml_metadata_url
prefix = local.prefix
}
Binary file added terraform/environment/wildsea-dev/plan
Binary file not shown.
28 changes: 7 additions & 21 deletions terraform/environment/wildsea/main.tf
Original file line number Diff line number Diff line change
@@ -1,24 +1,3 @@
data "aws_region" "current" {}
data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}

variable "aws_account" {
description = "ID of the AWS Account"
type = string
sensitive = true
}

variable "aws_region" {
description = "AWS Region name"
type = string
sensitive = true
}

variable "state_bucket" {
description = "Name of the S3 state bucket"
type = string
}

variable "environment" {
description = "Name of the Environment"
type = string
Expand Down Expand Up @@ -49,3 +28,10 @@ provider "aws" {
}
}
}

module "wildsea" {
source = "../../module/wildsea"

saml_metadata_url = var.saml_metadata_url
prefix = local.prefix
}
48 changes: 48 additions & 0 deletions terraform/module/iac-roles/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

variable "app_name" {
default = "Wildsea"
}

variable "action_prefix" {
default = "GitHubAction"
}

variable "workspace" {
description = "Github Organisation name"
type = string
}

variable "repo" {
description = "Repository name"
type = string
default = "wildsea"
}

variable "environment" {
description = "Unique name for the deployment"
type = string
default = "primary"
}

variable "state_bucket_arn" {
description = "ARN of the state bucket"
type = string
}

variable "oidc_arn" {
description = "ARN of the OIDC provider"
type = string
}

variable "oidc_type" {
description = "Type of principal for the OIDC Provider"
type = string
default = "Federated"
}

locals {
prefix = "${var.app_name}-${var.environment}"
}
Loading

0 comments on commit 7d25c9c

Please sign in to comment.