Environment (#7)

* Testing branch protection * First workflow * First workflow - fixes * Pin versions * Environment * Create test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow * more test workflaow
jarrod-lowe · Aug 10, 2024 · d202f29 · d202f29
1 parent 81b62f4
commit d202f29
Show file tree

Hide file tree

Showing 6 changed files with 174 additions and 1 deletion.
diff --git a/.github/workflows/environment-main-deploy.yaml b/.github/workflows/environment-main-deploy.yaml
@@ -0,0 +1,41 @@
+name: Environment Main - Apply
+
+on:
+  push:
+    branches:
+    - main
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  envtest:
+    name: Environment Main - Apply
+    runs-on: ubuntu-latest
+    environment: main
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08
+    - name: Configure AWS Access
+      uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
+      with:
+        role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT }}:role/GitHubAction-Wildsea@${{ vars.ENVIRONMENT }}
+        role-session-name: GitHubTest
+        aws-region: ${{ vars.AWS_REGION }}
+    - name: terraform plan
+      uses: dflook/terraform-apply@@c3f4d3e8d5a1a5b8d5e4e3e7f8f2b3a1c4e9d3f2
+      with:
+        path: terraform/environment/github
+        variables: |
+          aws_account="${{ vars.AWS_ACCOUNT }}"
+          aws_region="${{ vars.AWS_REGION }}"
+          state_bucket="${{ vars.STATE_BUCKET }}"
+          environment="${{ vars.ENVIRONMENT }}"
+        backend_config:
+          bucket=${{ vars.STATE_BUCKET }}
+          key=${{ vars.ENVIRONMENT }}/terraform.tfstate
+          region=${{ vars.AWS_REGION }}
diff --git a/.github/workflows/environment-main-plan.yaml b/.github/workflows/environment-main-plan.yaml
@@ -0,0 +1,39 @@
+name: Environment Main - Plan
+
+on:
+  pull_request: {}
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  envtest:
+    name: Environment Main - Plan
+    runs-on: ubuntu-latest
+    environment: main
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08
+    - name: Configure AWS Access
+      uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
+      with:
+        role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT }}:role/GitHubAction-Wildsea
+        role-session-name: GitHubTest
+        aws-region: ${{ vars.AWS_REGION }}
+    - name: terraform plan
+      uses: dflook/terraform-plan@d9df4f6c2484e709ba7ffaa16c98a6906f4760cd
+      with:
+        path: terraform/environment/github
+        variables: |
+          aws_account="${{ vars.AWS_ACCOUNT }}"
+          aws_region="${{ vars.AWS_REGION }}"
+          state_bucket="${{ vars.STATE_BUCKET }}"
+          environment="${{ vars.ENVIRONMENT }}"
+        backend_config:
+          bucket=${{ vars.STATE_BUCKET }}
+          key=${{ vars.ENVIRONMENT }}/terraform.tfstate
+          region=${{ vars.AWS_REGION }}
diff --git a/README.md b/README.md
@@ -22,3 +22,18 @@ To set up a github repository:
     * Add "Codacy Static Code Analysis" to status checks that are required
   * Block force pushes
   * TODO: Require code scanning results
+* Install <https://github.com/apps/renovate> into the repo
+* Under settings, "Set up code scanning"
+  * Enable everything exeept Dependabot version updates
+  * Set up CodeQL to default
+  * Set the Protection rules to Any/Any
+* Create an AWS Account for deployment
+  * Set up OIDC as per <https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/>
+  * Restrict it to the repo and branch main
+  * Add AdministratorAccess, for now, and call it GitHubAccess-Wildsea@main
+  * Add another role with ReadyOnlyAccess, don't restrict the branch, and call it GitHubAccess-Wildsea
+* Add an environment "main"
+  * Add an Environment Variable in the environment "AWS_ACCOUNT" with the ID of the AWS Account
+  * Add an Environment Variable in the environment "AWS_REGION" with the AWS Region you want to use
+  * Add an Environment Variable in the environment "STATE_BUCKET" with the name of the state bucket you created
+  * Add an Environment Variable in the environment "ENVIRONMENT" with the name of the environment
diff --git a/renovate.json b/renovate.json
@@ -1,6 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:recommended"
+    "config:recommended",
+    ":dependencyDashboard"
   ]
 }
diff --git a/terraform/environment/github/.terraform.lock.hcl b/terraform/environment/github/.terraform.lock.hcl
diff --git a/terraform/environment/github/main.tf b/terraform/environment/github/main.tf
@@ -1 +1,35 @@
 resource "null_resource" "test" {}
+
+variable "aws_account" {
+    description = "ID of the AWS Account"
+    type = string
+    sensitive = true
+}
+
+variable "aws_region" {
+    description = "AWS Region name"
+    type = string
+    sensitive = true
+}
+
+variable "state_bucket" {
+    description = "Name of the S3 state bucket"
+    type        = string
+}
+
+variable "environment" {
+    description = "Name of the Environment"
+    type        = string
+}
+
+terraform {
+    backend "s3" {
+        // region, bucket and key come from -backend-config
+    }
+}
+
+provider "aws" {
+    assume_role {
+      role_arn = "arn:aws:iam::${var.aws_account}:role/GitHubAction-Wildsea"
+    }
+}